Use relative links to files (#1025)

This commit is contained in:
Jonah Aragon 2022-04-14 09:10:16 -05:00 committed by GitHub
parent d2c9864497
commit 28a5f9b2a4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
28 changed files with 337 additions and 337 deletions

View File

@ -98,6 +98,6 @@ For complaints under GDPR more generally, European Union users may lodge complai
This version of our privacy statement took effect April 4th, 2022.
We will post any new versions of this statement [here](/about/privacy-policy). We may change how we announce changes in future versions of this document. In the meantime we may update our contact information at any time without announcing a change. Please refer to the [Privacy Policy](/about/privacy-policy) for the latest contact information at any time.
We will post any new versions of this statement [here](privacy-policy.en.md). We may change how we announce changes in future versions of this document. In the meantime we may update our contact information at any time without announcing a change. Please refer to the [Privacy Policy](privacy-policy.en.md) for the latest contact information at any time.
A full revision [history](https://github.com/privacyguides/privacyguides.org/commits/main/docs/about/privacy-policy.md) of this page can be found on GitHub.
A full revision [history](https://github.com/privacyguides/privacyguides.org/commits/main/docs/about/privacy-policy.en.md) of this page can be found on GitHub.

View File

@ -12,8 +12,8 @@ The main privacy concern with most Android devices is that they usually include
!!! recommendation
![GrapheneOS logo](/assets/img/android/grapheneos.svg#only-light){ align=right }
![GrapheneOS logo](/assets/img/android/grapheneos-dark.svg#only-dark){ align=right }
![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ align=right }
![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ align=right }
**GrapheneOS** is the best choice when it comes to privacy and security.
@ -21,7 +21,7 @@ The main privacy concern with most Android devices is that they usually include
[Visit grapheneos.org](https://grapheneos.org/){ .md-button .md-button--primary } [Privacy Policy](https://grapheneos.org/faq#privacy-policy){ .md-button }
Notably, GrapheneOS supports [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play). Google Play Services can be run fully sandboxed like a regular user app and contained in a work profile or user [profile](/android/#android-security-privacy) of your choice. This means that you can run apps dependant on Play Services, such as those that require push notifications using Google's [Firebase Cloud Messaging](https://firebase.google.com/docs/cloud-messaging/) service. GrapheneOS allows you to take advantage of most [Google Play Services](https://en.wikipedia.org/wiki/Google_Play_Services) whilst having full user control over their permissions and access.
Notably, GrapheneOS supports [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play). Google Play Services can be run fully sandboxed like a regular user app and contained in a work profile or user [profile](#android-security-privacy) of your choice. This means that you can run apps dependant on Play Services, such as those that require push notifications using Google's [Firebase Cloud Messaging](https://firebase.google.com/docs/cloud-messaging/) service. GrapheneOS allows you to take advantage of most [Google Play Services](https://en.wikipedia.org/wiki/Google_Play_Services) whilst having full user control over their permissions and access.
Currently, only [Pixel phones](https://grapheneos.org/faq#device-support) meet its hardware security requirement and are supported.
@ -33,7 +33,7 @@ Currently, only [Pixel phones](https://grapheneos.org/faq#device-support) meet i
!!! recommendation
![CalyxOS logo](/assets/img/android/calyxos.svg){ align=right }
![CalyxOS logo](assets/img/android/calyxos.svg){ align=right }
**CalyxOS** is a decent alternative to GrapheneOS.
@ -53,7 +53,7 @@ Currently, CalyxOS only supports [Pixel phones](https://calyxos.org/docs/guide/d
!!! recommendation
![DivestOS logo](/assets/img/android/divestos.svg){ align=right }
![DivestOS logo](assets/img/android/divestos.svg){ align=right }
**DivestOS** is a [soft-fork](https://en.wikipedia.org/wiki/Fork_(software_development)#Forking_of_free_and_open-source_software) of [LineageOS](https://lineageos.org/).
DivestOS inherits many [supported devices](https://divestos.org/index.php?page=devices&base=LineageOS) from LineageOS. It has signed builds, making it possible to have [verified boot](https://source.android.com/security/verifiedboot) on some non-Pixel devices.
@ -64,7 +64,7 @@ DivestOS has automated kernel vulnerability ([CVE](https://en.wikipedia.org/wiki
DivestOS also includes kernel patches from GrapheneOS and enables all available kernel security features via [defconfig hardening](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L758). All kernels newer than version 3.4 include full page [sanitization](https://lwn.net/Articles/334747/) and all ~22 Clang-compiled kernels have [`-ftrivial-auto-var-init=zero`](https://reviews.llvm.org/D54604?id=174471) enabled.
DivestOS 16.0, 17.1, and 18.1 implements GrapheneOS's [`INTERNET`](https://developer.android.com/training/basics/network-ops/connecting) permission toggle, [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), [exec-spawning](/android/#additional-hardening), [JNI](https://en.wikipedia.org/wiki/Java_Native_Interface) [constification](https://en.wikipedia.org/wiki/Const_(computer_programming)), and partial [bionic](https://en.wikipedia.org/wiki/Bionic_(software)) hardening patchsets. 17.1 and 18.1 feature GrapheneOS's per-network full [MAC randomization](https://en.wikipedia.org/wiki/MAC_address#Randomization) option, and [`ptrace_scope`](https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html) control, and automatic reboot/Wi-Fi/Bluetooth [timeout options](https://grapheneos.org/features). All branches additionally have various miscellaneous patches courtesy of GrapheneOS.
DivestOS 16.0, 17.1, and 18.1 implements GrapheneOS's [`INTERNET`](https://developer.android.com/training/basics/network-ops/connecting) permission toggle, [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), [exec-spawning](#additional-hardening), [JNI](https://en.wikipedia.org/wiki/Java_Native_Interface) [constification](https://en.wikipedia.org/wiki/Const_(computer_programming)), and partial [bionic](https://en.wikipedia.org/wiki/Bionic_(software)) hardening patchsets. 17.1 and 18.1 feature GrapheneOS's per-network full [MAC randomization](https://en.wikipedia.org/wiki/MAC_address#Randomization) option, and [`ptrace_scope`](https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html) control, and automatic reboot/Wi-Fi/Bluetooth [timeout options](https://grapheneos.org/features). All branches additionally have various miscellaneous patches courtesy of GrapheneOS.
!!! attention
@ -112,7 +112,7 @@ Modern Android devices have global toggles for disabling [Bluetooth](https://en.
!!! recommendation
![Orbot logo](/assets/img/android/orbot.svg){ align=right }
![Orbot logo](assets/img/android/orbot.svg){ align=right }
**Orbot** is a free proxy app that routes your connections through the Tor Network.
@ -138,7 +138,7 @@ For resistance against traffic analysis attacks, consider enabling *Isolate Dest
!!! recommendation
![Shelter logo](/assets/img/android/shelter.svg){ align=right }
![Shelter logo](assets/img/android/shelter.svg){ align=right }
**Shelter** is an app that helps you leverage the Android work profile to isolate other apps.
@ -164,8 +164,8 @@ For resistance against traffic analysis attacks, consider enabling *Isolate Dest
!!! recommendation
![Auditor logo](/assets/img/android/auditor.svg#only-light){ align=right }
![Auditor logo](/assets/img/android/auditor-dark.svg#only-dark){ align=right }
![Auditor logo](assets/img/android/auditor.svg#only-light){ align=right }
![Auditor logo](assets/img/android/auditor-dark.svg#only-dark){ align=right }
**Auditor** is an app which leverages hardware security features to provide device integrity monitoring for [supported devices](https://attestation.app/about#device-support). Currently it works with GrapheneOS and the device's stock operating system.
@ -185,15 +185,15 @@ Auditor performs attestation and intrusion detection by:
No personally identifiable information is submitted to the attestation service. We recommend that you sign up with an anonymous account and enable remote attestation for continuous monitoring.
If your [threat model](/threat-modeling/) requires privacy you could consider using Orbot or a VPN to hide your IP address from the attestation service.
If your [threat model](threat-modeling.md) requires privacy you could consider using Orbot or a VPN to hide your IP address from the attestation service.
To make sure that your hardware and operating system is genuine, [perform local attestation](https://grapheneos.org/install/web#verifying-installation) immediately after the device has been installed and prior to any internet connection.
### Secure Camera
!!! recommendation
![Secure camera logo](/assets/img/android/secure_camera.svg#only-light){ align=right }
![Secure camera logo](/assets/img/android/secure_camera-dark.svg#only-dark){ align=right }
![Secure camera logo](assets/img/android/secure_camera.svg#only-light){ align=right }
![Secure camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ align=right }
**Secure Camera** is an camera app focused on privacy and security which can capture images, videos, and QR codes. CameraX vendor extensions (Portrait, HDR, Night Sight, Face Retouch, and Auto) are also supported on available devices.
@ -219,8 +219,8 @@ Main privacy features include:
!!! recommendation
![Secure PDF Viewer logo](/assets/img/android/secure_pdf_viewer.svg#only-light){ align=right }
![Secure PDF Viewer logo](/assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ align=right }
![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ align=right }
![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ align=right }
**Secure PDF Viewer** is a PDF viewer based on [pdf.js](https://en.wikipedia.org/wiki/PDF.js) that doesn't require any permissions. The PDF is fed into a [sandboxed](https://en.wikipedia.org/wiki/Sandbox_(software_development)) [webview](https://developer.android.com/guide/webapps/webview). This means that it doesn't require permission directly to access content or files.
@ -236,7 +236,7 @@ Main privacy features include:
!!! recommendation
![PrivacyBlur logo](/assets/img/android/privacyblur.svg){ align=right }
![PrivacyBlur logo](assets/img/android/privacyblur.svg){ align=right }
**PrivacyBlur** is a free app which can blur sensitive portions of pictures before sharing them online.
@ -257,7 +257,7 @@ Main privacy features include:
[Rooting](https://en.wikipedia.org/wiki/Rooting_(Android)) Android phones can decrease security significantly as it weakens the complete [Android security model](https://en.wikipedia.org/wiki/Android_(operating_system)#Security_and_privacy). This can decrease privacy should there be an exploit that is assisted by the decreased security. Common rooting methods involve directly tampering with the boot partition, making it impossible to perform successful [Verified Boot](https://source.android.com/security/verifiedboot). Apps that require root will also modify the system partition meaning that Verified Boot would have to remain disabled. Having root exposed directly in the user interface also increases the [attack surface](https://en.wikipedia.org/wiki/Attack_surface) of your device and may assist in [privilege escalation](https://en.wikipedia.org/wiki/Privilege_escalation) vulnerabilities and [SELinux](https://en.wikipedia.org/wiki/Security-Enhanced_Linux) policy bypasses.
Adblockers (AdAway) which modify the [hosts file](https://en.wikipedia.org/wiki/Hosts_(file)) and firewalls (AFWall+) which require root access persistently are dangerous and should not be used. They are also not the correct way to solve their intended purposes. For Adblocking we suggest encrypted [DNS](/dns) or [VPN](/vpn) server blocking solutions instead. RethinkDNS, TrackerControl and AdAway in non-root mode will take up the VPN slot (by using a local loopback VPN) preventing you from using privacy enhancing services such as Orbot or a real VPN server.
Adblockers (AdAway) which modify the [hosts file](https://en.wikipedia.org/wiki/Hosts_(file)) and firewalls (AFWall+) which require root access persistently are dangerous and should not be used. They are also not the correct way to solve their intended purposes. For Adblocking we suggest encrypted [DNS](dns.md) or [VPN](vpn.md) server blocking solutions instead. RethinkDNS, TrackerControl and AdAway in non-root mode will take up the VPN slot (by using a local loopback VPN) preventing you from using privacy enhancing services such as Orbot or a real VPN server.
AFWall+ works based on the [packet filtering](https://en.wikipedia.org/wiki/Firewall_(computing)#Packet_filter) approach and may be bypassable in some situations.
@ -279,7 +279,7 @@ It's important to not use an [end-of-life](https://endoflife.date/android) versi
[Permissions on Android](https://developer.android.com/guide/topics/permissions/overview) grant users control over what apps are allowed to access. Google regularly makes [improvements](https://developer.android.com/about/versions/11/privacy/permissions) on the permission system in each successive version. All user installed apps are strictly [sandboxed](https://source.android.com/security/app-sandbox), therefore there is no need to install any antivirus apps. The savings you make from not purchasing or subscribing to security apps is better spent on paying for a supported device in the future.
Should you want to run an app that you're unsure about, consider using a user or work [profile](/android/#android-security-privacy).
Should you want to run an app that you're unsure about, consider using a user or work [profile](android/#android-security-privacy).
### Advanced Protection Program
@ -362,7 +362,7 @@ We have these general tips:
- Check if an app is available on the [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) repository. The IzzyOnDroid repository pulls builds directly from GitHub and is the next best thing to the developers' own repositories. We recommend that you download the GitHub builds and install them manually first, then use IzzyOnDroid for any subsequent updates. This will ensure that the signature of the applications you get from IzzyOnDroid matches that of the developer and the packages have not been tampered with.
- Check if there are any differences between the F-Droid version and the Google Play Store version. Some applications like [IVPN](https://www.ivpn.net/) do not include certain features (eg [AntiTracker](https://www.ivpn.net/knowledgebase/general/antitracker-faq/)) in their Google Play Store build out of fear of censorship by Google.
Evaluate whether the additional features in the F-Droid build are worth the slower updates. Also think about whether faster updates from the Google Play Store are worth the potential privacy issues in your [threat model](/threat-modeling/).
Evaluate whether the additional features in the F-Droid build are worth the slower updates. Also think about whether faster updates from the Google Play Store are worth the potential privacy issues in your [threat model](threat-modeling.md).
#### Droid-ify
@ -386,9 +386,9 @@ To mitigate these problems, we recommend [Droid-ify](https://github.com/Iamlooke
### Profiles
CalyxOS includes a device controller app so there is no need to install a third party app like [Shelter](/android/#recommended-apps). GrapheneOS plans to introduce nested profile support with better isolation in the future.
CalyxOS includes a device controller app so there is no need to install a third party app like [Shelter](#recommended-apps). GrapheneOS plans to introduce nested profile support with better isolation in the future.
GrapheneOS extends the [user profile](/android/#android-security-privacy) feature allowing a user to press an "End Session" button. This button clears the encryption key from memory. There are plans to add a [cross profile notifications system](https://github.com/GrapheneOS/os-issue-tracker/issues/88) in the future.
GrapheneOS extends the [user profile](#android-security-privacy) feature allowing a user to press an "End Session" button. This button clears the encryption key from memory. There are plans to add a [cross profile notifications system](https://github.com/GrapheneOS/os-issue-tracker/issues/88) in the future.
### Sandboxed Google Play vs Privileged MicroG
@ -404,7 +404,7 @@ From a usability point of view, Sandboxed Google Play also works well with far m
Android 12 comes with special support for seamless app updates with [third party app stores](https://android-developers.googleblog.com/2020/09/listening-to-developer-feedback-to.html). The popular Free and Open Source Software (FOSS) repository [F-Droid](https://f-droid.org) doesn't implement this feature and requires a [privileged extension](https://f-droid.org/en/packages/org.fdroid.fdroid.privileged) to be included with the Android distribution in order to have unattended app installation.
GrapheneOS doesn't compromise on security; therefore, they do not include the F-Droid extension. Users have to confirm all updates manually if they want to use F-Droid. Alternatively, they can use the Droid-ify client which does support seamless app updates in Android 12. GrapheneOS officially recommends [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play) instead. Many FOSS Android apps are also in Google Play but sometimes they are not (like [NewPipe](/video-streaming)).
GrapheneOS doesn't compromise on security; therefore, they do not include the F-Droid extension. Users have to confirm all updates manually if they want to use F-Droid. Alternatively, they can use the Droid-ify client which does support seamless app updates in Android 12. GrapheneOS officially recommends [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play) instead. Many FOSS Android apps are also in Google Play but sometimes they are not (like [NewPipe](video-streaming.md)).
CalyxOS includes the [privileged extension](https://f-droid.org/en/packages/org.fdroid.fdroid.privileged), which may lower device security. Seamless app updates should be possible with [Aurora Store](https://auroraoss.com) in Android 12.

View File

@ -12,7 +12,7 @@ These are our current web browser recommendations and settings. We recommend kee
!!! recommendation
![Tor Browser logo](/assets/img/browsers/tor.svg){ align=right }
![Tor Browser logo](assets/img/browsers/tor.svg){ align=right }
**Tor Browser** is the choice if you need anonymity. This browser provides you with access to the Tor Bridges and [Tor Network](https://en.wikipedia.org/wiki/Tor_(network)), along with extensions that can be automatically configured to fit its three security levels - *Standard*, *Safer* and *Safest*. We recommend that you do not change any of Tor Browser's default configurations outside of the standard security levels.
@ -36,7 +36,7 @@ These are our current web browser recommendations and settings. We recommend kee
!!! recommendation
![Firefox logo](/assets/img/browsers/firefox.svg){ align=right }
![Firefox logo](assets/img/browsers/firefox.svg){ align=right }
**Firefox** provides strong privacy settings such as [Enhanced Tracking Protection](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop), which can help block various [types of tracking](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop#w_what-enhanced-tracking-protection-blocks).
@ -99,7 +99,7 @@ The [Firefox sync](https://hacks.mozilla.org/2018/11/firefox-sync-privacy/) serv
#### Extensions
We generally do not recommend installing any extensions as they increase your [attack surface](https://en.wikipedia.org/wiki/Attack_surface); however, if you want content blocking, [uBlock Origin](/browsers/#additional-resources) might be useful to you. The extension is also a 🏆️ [Recommended Extension](https://support.mozilla.org/kb/add-on-badges#w_recommended-extensions) by Mozilla.
We generally do not recommend installing any extensions as they increase your [attack surface](https://en.wikipedia.org/wiki/Attack_surface); however, if you want content blocking, [uBlock Origin](#additional-resources) might be useful to you. The extension is also a 🏆️ [Recommended Extension](https://support.mozilla.org/kb/add-on-badges#w_recommended-extensions) by Mozilla.
#### Arkenfox (advanced)
@ -115,7 +115,7 @@ On iOS, any app that can browse the web is [restricted](https://developer.apple.
!!! recommendation
![Bromite logo](/assets/img/browsers/bromite.svg){ align=right }
![Bromite logo](assets/img/browsers/bromite.svg){ align=right }
**Bromite** is a [Chromium](https://en.wikipedia.org/wiki/Chromium_(web_browser))-based browser with privacy and security enhancements, built-in ad blocking, and some fingerprinting randomization.
@ -145,7 +145,7 @@ These options can be found in *Privacy and Security* ( ⁝ → ⚙️ Settings
!!! recommendation
![Safari logo](/assets/img/browsers/safari.svg){ align=right }
![Safari logo](assets/img/browsers/safari.svg){ align=right }
**Safari** is the default browser in iOS. It includes [privacy features](https://support.apple.com/guide/iphone/browse-the-web-privately-iphb01fc3c85/15.0/ios/15.0) such as Intelligent Tracking Protection, Privacy Report, isolated Private Browsing tabs, iCloud Private Relay, and automatic HTTPS upgrades.
@ -197,7 +197,7 @@ If you use iCloud, we also recommend checking to ensure Safari's default downloa
#### Extensions
We generally do not recommend installing [any extensions](https://www.sentinelone.com/blog/inside-safari-extensions-malware-golden-key-user-data/) as they increase your browser's [attack surface](https://en.wikipedia.org/wiki/Attack_surface); however, if you want content blocking, [AdGuard for Safari](/browsers/#additional-resources) might be useful to you.
We generally do not recommend installing [any extensions](https://www.sentinelone.com/blog/inside-safari-extensions-malware-golden-key-user-data/) as they increase your browser's [attack surface](https://en.wikipedia.org/wiki/Attack_surface); however, if you want content blocking, [AdGuard for Safari](#additional-resources) might be useful to you.
## Additional Resources
@ -205,7 +205,7 @@ We generally do not recommend installing [any extensions](https://www.sentinelon
!!! recommendation
![uBlock Origin logo](/assets/img/browsers/ublock_origin.svg){ align=right }
![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ align=right }
**uBlock Origin** is a popular content blocker that could help you block ads, trackers, and fingerprinting scripts.
@ -230,7 +230,7 @@ uBlock Origin also has different [blocking modes](https://github.com/gorhill/uBl
!!! recommendation
![AdGuard logo](/assets/img/browsers/adguard.svg){ align=right }
![AdGuard logo](assets/img/browsers/adguard.svg){ align=right }
**AdGuard for Safari** is a free and open-source content-blocking extension for Safari that uses the native [Content Blocker API](https://developer.apple.com/documentation/safariservices/creating_a_content_blocker).
@ -255,7 +255,7 @@ There is also [AdGuard for iOS](https://adguard.com/en/adguard-ios/overview.html
!!! recommendation
![Terms of Service; Didn't Read logo](/assets/img/browsers/terms_of_service_didnt_read.svg){ align=right }
![Terms of Service; Didn't Read logo](assets/img/browsers/terms_of_service_didnt_read.svg){ align=right }
**Terms of Service; Didn't Read** grades websites based on their terms of service agreements and privacy policies. It also gives short summaries of those agreements. The analyses and ratings are published transparently by a community of reviewers.

View File

@ -6,14 +6,14 @@ Calendaring and contacts are some of the most sensitive data posess. Use only pr
## Software as a service (SaaS) only
These products are included with an subscription to the respective [email providers](/email).
These products are included with an subscription to the respective [email providers](email.md).
### Tutanota
!!! recommendation
![Tutanota logo](/assets/img/calendar-contacts/tutanota.svg#only-light){ align=right }
![Tutanota logo](/assets/img/calendar-contacts/tutanota-dark.svg#only-dark){ align=right }
![Tutanota logo](assets/img/calendar-contacts/tutanota.svg#only-light){ align=right }
![Tutanota logo](assets/img/calendar-contacts/tutanota-dark.svg#only-dark){ align=right }
**Tutanota** has an [encrypted calendar](https://tutanota.com/blog/posts/free-encrypted-calendar/) in their desktop and mobile clients.
@ -33,7 +33,7 @@ These products are included with an subscription to the respective [email provid
!!! recommendation
![Proton Calendar logo](/assets/img/calendar-contacts/proton-calendar.svg){ align=right }
![Proton Calendar logo](assets/img/calendar-contacts/proton-calendar.svg){ align=right }
**Proton Calendar** is an calendar app that is available to ProtonMail users. All data stored within it is end-to-end encrypted when stored on ProtonMail's servers.
@ -51,7 +51,7 @@ Some of these options are self-hostable, or able to be hosted by third party pro
!!! recommendation
![EteSync logo](/assets/img/calendar-contacts/etesync.svg){ align=right }
![EteSync logo](assets/img/calendar-contacts/etesync.svg){ align=right }
**EteSync** is a secure, end-to-end encrypted, and privacy-respecting cloud backup and synchronization software for your personal information (e.g. contacts and calendars). There are native clients for Android, iOS, and the web, and an adapter layer for most desktop clients.
@ -70,7 +70,7 @@ Some of these options are self-hostable, or able to be hosted by third party pro
!!! recommendation
![Nextcloud logo](/assets/img/calendar-contacts/nextcloud.svg){ align=right }
![Nextcloud logo](assets/img/calendar-contacts/nextcloud.svg){ align=right }
**Nextcloud** is a suite of client-server software for creating and using file hosting services. This includes calendar sync via CalDAV and contacts sync via CardDAV. Nextcloud is free and open-source, thereby allowing anyone to install and operate it without charge on a private server.
@ -92,11 +92,11 @@ Some of these options are self-hostable, or able to be hosted by third party pro
!!! recommendation
![DecSync logo](/assets/img/calendar-contacts/decsync.svg){ align=right }
![DecSync logo](assets/img/calendar-contacts/decsync.svg){ align=right }
**DecSync CC** synchronizes contacts, calendars and tasks using DecSync. It stores this data in a shared directory, using [Syncthing](/file-sharing/#syncthing), or any other file synchronization service.
**DecSync CC** synchronizes contacts, calendars and tasks using DecSync. It stores this data in a shared directory, using [Syncthing](file-sharing/#syncthing), or any other file synchronization service.
There are [plugins](https://github.com/39aldo39/DecSync#rss) to sync other types of data such as [RSS](/news-aggregators).
There are [plugins](https://github.com/39aldo39/DecSync#rss) to sync other types of data such as [RSS](news-aggregators.md).
[Visit github.com](https://github.com/39aldo39/DecSync){ .md-button .md-button--primary }

View File

@ -10,7 +10,7 @@ Trust your provider by using an alternative below that supports [end-to-end encr
!!! recommendation
![Nextcloud logo](/assets/img/cloud/nextcloud.svg){ align=right }
![Nextcloud logo](assets/img/cloud/nextcloud.svg){ align=right }
**Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. It also comes with experimental end-to-end encryption (E2EE).
@ -36,7 +36,7 @@ When self hosting Nextcloud, you should also remember to enable E2EE to protect
!!! recommendation
![Proton Drive logo](/assets/img/cloud/protondrive.svg){ align=right }
![Proton Drive logo](assets/img/cloud/protondrive.svg){ align=right }
**Proton Drive** is an end-to-end encrypted (E2EE) general file storage service by the popular encrypted email provider [ProtonMail](https://protonmail.com).
@ -47,7 +47,7 @@ When self hosting Nextcloud, you should also remember to enable E2EE to protect
Proton Drive is currently in beta and only is only available through a web client.
When using a web client, you are placing trust in the server to send you proper JavaScript code to derive the decryption key and authentication token locally in your browser. A compromised server can send you malicious JavaScript code to steal your master password and decrypt your data. If this does not fit your [threat model](/threat-modeling/), consider using an alternative.
When using a web client, you are placing trust in the server to send you proper JavaScript code to derive the decryption key and authentication token locally in your browser. A compromised server can send you malicious JavaScript code to steal your master password and decrypt your data. If this does not fit your [threat model](threat-modeling.md), consider using an alternative.
### Cryptee

View File

@ -73,16 +73,16 @@ Select **Settings** → **Network & Internet** → **Ethernet or WiFi**, &
## Encrypted DNS Proxies
Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](/dns/#unencrypted-dns) resolver to forward to. Typically it is used on platforms that don't natively support [encrypted DNS](/dns/#what-is-encrypted-dns).
Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](technology/dns.md#unencrypted-dns) resolver to forward to. Typically it is used on platforms that don't natively support [encrypted DNS](technology/dns.md#what-is-encrypted-dns).
### RethinkDNS
!!! recommendation
![RethinkDNS logo](/assets/img/android/rethinkdns.svg#only-light){ align=right }
![RethinkDNS logo](/assets/img/android/rethinkdns-dark.svg#only-dark){ align=right }
![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ align=right }
![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ align=right }
**RethinkDNS** is an open-source Android client supporting [DNS-over-HTTPS](/dns/#dns-over-https-doh), [DNS-over-TLS](/dns/#dns-over-tls-dot), [DNSCrypt](/dns/#dnscrypt) and DNS Proxy along with caching DNS responses, locally logging DNS queries and can be used as a firewall too.
**RethinkDNS** is an open-source Android client supporting [DNS-over-HTTPS](technology/dns.md#dns-over-https-doh), [DNS-over-TLS](technology/dns.md#dns-over-tls-dot), [DNSCrypt](technology/dns.md#dnscrypt) and DNS Proxy along with caching DNS responses, locally logging DNS queries and can be used as a firewall too.
[Visit rethinkdns.com](https://rethinkdns.com){ .md-button .md-button--primary } [Privacy Policy](https://rethinkdns.com/privacy){ .md-button }
@ -95,9 +95,9 @@ Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](/d
!!! recommendation
![DNSCloak logo](/assets/img/ios/dnscloak.png){ align=right }
![DNSCloak logo](assets/img/ios/dnscloak.png){ align=right }
**DNSCloak** is an open-source iOS client supporting [DNS-over-HTTPS](/dns/#dns-over-https-doh), [DNSCrypt](/dns/#dnscrypt), and [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy/wiki) options such as caching DNS responses, locally logging DNS queries, and custom block lists. Users can [add custom resolvers by DNS stamp](https://medium.com/privacyguides/adding-custom-dns-over-https-resolvers-to-dnscloak-20ff5845f4b5).
**DNSCloak** is an open-source iOS client supporting [DNS-over-HTTPS](technology/dns.md#dns-over-https-doh), [DNSCrypt](technology/dns.md#dnscrypt), and [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy/wiki) options such as caching DNS responses, locally logging DNS queries, and custom block lists. Users can [add custom resolvers by DNS stamp](https://medium.com/privacyguides/adding-custom-dns-over-https-resolvers-to-dnscloak-20ff5845f4b5).
[Visit github.com](https://github.com/s-s/dnscloak/blob/master/README.md){ .md-button .md-button--primary } [Privacy Policy](https://drive.google.com/file/d/1050No_pU74CAWUS5-BwQWyO2x_aiMzWc/view){ .md-button }
@ -109,13 +109,13 @@ Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](/d
!!! recommendation
![dnscrypt-proxy logo](/assets/img/dns/dnscrypt-proxy.svg){ align=right }
![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ align=right }
**dnscrypt-proxy** is a DNS proxy with support for [DNSCrypt](/dns/#dnscrypt), [DNS-over-HTTPS](/dns/#dns-over-https-doh), and [Anonymized DNS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS).
**dnscrypt-proxy** is a DNS proxy with support for [DNSCrypt](technology/dns.md#dnscrypt), [DNS-over-HTTPS](technology/dns.md#dns-over-https-doh), and [Anonymized DNS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS).
[Visit github.com](https://github.com/DNSCrypt/dnscrypt-proxy/wiki){ .md-button .md-button--primary } [Privacy Policy](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .md-button }
**Downloads**
- [:fontawesome-brands-github: Source](https://github.com/DNSCrypt/dnscrypt-proxy)
!!! warning "The anonymized DNS feature does [**not**](/dns#why-shouldnt-i-use-encrypted-dns) anonymize other network traffic."
!!! warning "The anonymized DNS feature does [**not**](technology/dns.md#why-shouldnt-i-use-encrypted-dns) anonymize other network traffic."

View File

@ -2,20 +2,20 @@
title: "Email Clients"
icon: material/email-open
---
Our recommendation list contains email clients that support both [OpenPGP](/encryption/#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](/multi-factor-authentication) and prevent account theft.
Our recommendation list contains email clients that support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](multi-factor-authentication) and prevent account theft.
??? Attention "Email does not provide forward secrecy"
When using end-to-end encryption (E2EE) technology like [OpenPGP](https://en.wikipedia.org/wiki/Pretty_Good_Privacy), email will still have [some metadata](/email/#email-metadata-overview) that is not encrypted in the header of the email.
When using end-to-end encryption (E2EE) technology like [OpenPGP](https://en.wikipedia.org/wiki/Pretty_Good_Privacy), email will still have [some metadata](email.md#email-metadata-overview) that is not encrypted in the header of the email.
OpenPGP also does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed: [How do I protect my private keys?](/email/#email-encryption-overview). Consider using a medium that provides forward secrecy:
OpenPGP also does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed: [How do I protect my private keys?](email.md#email-encryption-overview). Consider using a medium that provides forward secrecy:
[Real-time Communication](/real-time-communication){ .md-button .md-button--primary }
[Real-time Communication](real-time-communication.md){ .md-button .md-button--primary }
### Thunderbird
!!! recommendation
![Thunderbird logo](/assets/img/email-clients/thunderbird.svg){ align=right }
![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ align=right }
**Thunderbird** is a free, open source, cross-platform email, newsgroup, news feed, and chat (XMPP, IRC, Twitter) client developed by the Thunderbird community, and previously by the Mozilla Foundation.
@ -32,12 +32,12 @@ Our recommendation list contains email clients that support both [OpenPGP](/encr
!!! recommendation
![Apple Mail logo](/assets/img/email-clients/applemail.png){ align=right }
![Apple Mail logo](assets/img/email-clients/applemail.png){ align=right }
**Apple Mail** is included in macOS and can be extended to have OpenPGP support with [GPG Suite](/encryption/#gpg-suite), which adds the ability to send encrypted email.
**Apple Mail** is included in macOS and can be extended to have OpenPGP support with [GPG Suite](encryption/#gpg-suite), which adds the ability to send encrypted email.
!!! note
For iOS devices we suggest [Canary Mail](/email-clients/#canary-mail) as it has PGP support which means you can send end-to-end encrypted email.
For iOS devices we suggest [Canary Mail](#canary-mail) as it has PGP support which means you can send end-to-end encrypted email.
[Visit apple.com](https://support.apple.com/guide/mail/welcome/mac){ .md-button .md-button--primary } [Privacy Policy](https://www.apple.com/legal/privacy/en-ww/){ .md-button }
@ -45,7 +45,7 @@ Our recommendation list contains email clients that support both [OpenPGP](/encr
!!! recommendation
![Evolution logo](/assets/img/email-clients/evolution.svg){ align=right }
![Evolution logo](assets/img/email-clients/evolution.svg){ align=right }
**Evolution** is a personal information management application that provides integrated mail, calendaring and address book functionality. Evolution has extensive [documentation](https://help.gnome.org/users/evolution/stable/) to help you get started.
@ -59,7 +59,7 @@ Our recommendation list contains email clients that support both [OpenPGP](/encr
!!! recommendation
![Kontact logo](/assets/img/email-clients/kontact.svg){ align=right }
![Kontact logo](assets/img/email-clients/kontact.svg){ align=right }
**Kontact** is a personal information manager (PIM) application from the [KDE](https://kde.org) project. It provides a mail client, address book, organizer and RSS client.
@ -74,7 +74,7 @@ Our recommendation list contains email clients that support both [OpenPGP](/encr
!!! recommendation
![Mailvelope logo](/assets/img/email-clients/mailvelope.svg){ align=right }
![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ align=right }
**Mailvelope** is a browser extension that enables the exchange of encrypted emails following the OpenPGP encryption standard.
@ -90,7 +90,7 @@ Our recommendation list contains email clients that support both [OpenPGP](/encr
!!! recommendation
![K-9 Mail logo](/assets/img/email-clients/k9mail.svg){ align=right }
![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ align=right }
**K-9 Mail** is an independent mail application that supports both POP3 and IMAP mailboxes, but only supports push mail for IMAP.
@ -105,7 +105,7 @@ Our recommendation list contains email clients that support both [OpenPGP](/encr
!!! recommendation
![FairEmail logo](/assets/img/email-clients/fairemail.svg){ align=right }
![FairEmail logo](assets/img/email-clients/fairemail.svg){ align=right }
**FairEmail** is a minimal, open source email app, using open standards (IMAP, SMTP, OpenPGP) with a low data and battery usage.
@ -120,7 +120,7 @@ Our recommendation list contains email clients that support both [OpenPGP](/encr
!!! recommendation
![Canary Mail logo](/assets/img/email-clients/canarymail.svg){ align=right }
![Canary Mail logo](assets/img/email-clients/canarymail.svg){ align=right }
**Canary Mail** is a paid email client designed to make end-to-end encryption seamless with security features such as a biometric app lock.
@ -142,7 +142,7 @@ Canary Mail is closed source. We recommend it, due to the few choices there are
!!! recommendation
![Neomutt logo](/assets/img/email-clients/mutt.svg){ align=right }
![Neomutt logo](assets/img/email-clients/mutt.svg){ align=right }
NeoMutt is an open-source command line mail reader (or MUA) for Linux and BSD. It's a fork of [Mutt](https://en.wikipedia.org/wiki/Mutt_(email_client)) with added features.

View File

@ -23,11 +23,11 @@ Find a secure email provider that will keep your privacy in mind. Dont settle
!!! recommendation
![ProtonMail logo](/assets/img/email/protonmail.svg){ align=right }
![ProtonMail logo](assets/img/email/protonmail.svg){ align=right }
**ProtonMail** is an email service with a focus on privacy, encryption, security, and ease of use. They have been in operation since **2013**. ProtonMail is based in Genève, Switzerland. Accounts start with 500 MB storage with their free plan.
Free accounts have some limitations, such as not being able to search body text and not having access to [ProtonMail Bridge](https://protonmail.com/bridge), which is required to use a [recommended desktop email client](/email-clients) (e.g. Thunderbird). Paid accounts are available starting at **€48/y** which include features like ProtonMail Bridge, additional storage, and custom domain support.
Free accounts have some limitations, such as not being able to search body text and not having access to [ProtonMail Bridge](https://protonmail.com/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g. Thunderbird). Paid accounts are available starting at **€48/y** which include features like ProtonMail Bridge, additional storage, and custom domain support.
**Free**
@ -67,7 +67,7 @@ Find a secure email provider that will keep your privacy in mind. Dont settle
!!! recommendation
![Mailbox.org logo](/assets/img/email/mailboxorg.svg){ align=right }
![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right }
**Mailbox.org** is an email service with a focus on being secure, ad-free, and privately powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox.org is based in Berlin, Germany. Accounts start with 2 GB of storage, which can be upgraded as needed.
@ -91,7 +91,7 @@ Find a secure email provider that will keep your privacy in mind. Dont settle
Mailbox.org allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/display/MBOKBEN/The+Encrypted+Mailbox). New messages that you receive will then be immediately encrypted with your public key.
However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/display/BMBOKBEN/Encryption+of+calendar+and+address+book) the encryption of your address book and calendar. A [standalone option](/calendar-contacts) may be more appropriate for that information.
However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/display/BMBOKBEN/Encryption+of+calendar+and+address+book) the encryption of your address book and calendar. A [standalone option](calendar-contacts.md) may be more appropriate for that information.
??? check "Email Encryption"
@ -111,8 +111,8 @@ Find a secure email provider that will keep your privacy in mind. Dont settle
!!! recommendation
![Disroot logo](/assets/img/email/disroot.svg#only-light){ align=right }
![Disroot logo](/assets/img/email/disroot-dark.svg#only-dark){ align=right }
![Disroot logo](assets/img/email/disroot.svg#only-light){ align=right }
![Disroot logo](assets/img/email/disroot-dark.svg#only-dark){ align=right }
**Disroot** offers email amongst [other services](https://disroot.org/en/#services). The service is maintained by volunteers and its community. They have been in operation since 2015. Disroot is based in Amsterdam. Disroot is free and uses open source software such as Rainloop to provide service. Users support the service through donations and buying extra storage. The mailbox limit is 1 GB, but extra storage can be purchased 0.15€ per GB per month paid yearly.
@ -136,7 +136,7 @@ Find a secure email provider that will keep your privacy in mind. Dont settle
Disroot uses full disk encryption. However, it doesn't appear to be "zero access", meaning it is technically possible for them to decrypt the data they have if it is not additionally encrypted with a tool like OpenPGP.
Disroot also uses the standard [CalDAV](https://en.wikipedia.org/wiki/CalDAV) and [CardDAV](https://en.wikipedia.org/wiki/CardDAV) protocols for calendars and contacts, which do not support E2EE. A [standalone option](/calendar-contacts) may be more appropriate.
Disroot also uses the standard [CalDAV](https://en.wikipedia.org/wiki/CalDAV) and [CardDAV](https://en.wikipedia.org/wiki/CardDAV) protocols for calendars and contacts, which do not support E2EE. A [standalone option](calendar-contacts.md) may be more appropriate.
??? check "Email Encryption"
@ -154,8 +154,8 @@ Find a secure email provider that will keep your privacy in mind. Dont settle
!!! recommendation
![Tutanota logo](/assets/img/email/tutanota.svg#only-light){ align=right }
![Tutanota logo](/assets/img/email/tutanota-dark.svg#only-dark){ align=right }
![Tutanota logo](assets/img/email/tutanota.svg#only-light){ align=right }
![Tutanota logo](assets/img/email/tutanota-dark.svg#only-dark){ align=right }
**[Tutanota.com](https://tutanota.com)** is an email service with a focus on security and privacy through the use of encryption. Tutanota has been in operation since **2011** and is based in Hanover, Germany. Accounts start with 1GB storage with their free plan.
@ -163,7 +163,7 @@ Find a secure email provider that will keep your privacy in mind. Dont settle
[Visit Tutanota.com](https://tutanota.com){ .md-button .md-button--primary }
Tutanota [doesn't allow](https://tutanota.com/faq/#imap) the use of third-party [email clients](/email-clients). Tutanota has no plans pull email from [external email accounts](https://github.com/tutao/tutanota/issues/544#issuecomment-670473647) using the [IMAP](https://en.wikipedia.org/wiki/Internet_Message_Access_Protocol) protocol. [Email import](https://github.com/tutao/tutanota/issues/630) is currently not possible.
Tutanota [doesn't allow](https://tutanota.com/faq/#imap) the use of third-party [email clients](email-clients.md). Tutanota has no plans pull email from [external email accounts](https://github.com/tutao/tutanota/issues/544#issuecomment-670473647) using the [IMAP](https://en.wikipedia.org/wiki/Internet_Message_Access_Protocol) protocol. [Email import](https://github.com/tutao/tutanota/issues/630) is currently not possible.
Emails can be exported [individually or by bulk selection](https://tutanota.com/howto#generalMail). Tutanota does not allow for [subfolders](https://github.com/tutao/tutanota/issues/927) as you might expect with other email providers.
@ -205,8 +205,8 @@ Tutanota is working on a [desktop client](https://tutanota.com/blog/posts/deskto
!!! recommendation
![StartMail logo](/assets/img/email/startmail.svg#only-light){ align=right }
![StartMail logo](/assets/img/email/startmail-dark.svg#only-dark){ align=right }
![StartMail logo](assets/img/email/startmail.svg#only-light){ align=right }
![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ align=right }
**StartMail** is an email service with a focus on security and privacy through the use of standard OpenPGP encryption. StartMail has been in operation since 2014 and is based in Boulevard 11, Zeist Netherlands. Accounts start with 10GB. They offer a 30-day trial.
@ -230,7 +230,7 @@ Tutanota is working on a [desktop client](https://tutanota.com/blog/posts/deskto
StartMail has [zero access encryption at rest](https://www.startmail.com/en/whitepaper/#_Toc458527835), using their "user vault" system. When a user logs in, the vault is opened, and the email is then moved to the vault out of the queue where it is decrypted by the corresponding private key.
StartMail supports importing [contacts](https://support.startmail.com/hc/en-us/articles/360006495557-Import-contacts) however, they are only accessible in the webmail and not through protocols such as [CalDAV](https://en.wikipedia.org/wiki/CalDAV). Contacts are also not stored using zero knowledge encryption, so a [standalone option](/calendar-contacts) may be more appropriate.
StartMail supports importing [contacts](https://support.startmail.com/hc/en-us/articles/360006495557-Import-contacts) however, they are only accessible in the webmail and not through protocols such as [CalDAV](https://en.wikipedia.org/wiki/CalDAV). Contacts are also not stored using zero knowledge encryption, so a [standalone option](calendar-contacts.md) may be more appropriate.
??? check "Email Encryption"
@ -248,8 +248,8 @@ Tutanota is working on a [desktop client](https://tutanota.com/blog/posts/deskto
!!! recommendation
![CTemplar Logo](/assets/img/email/ctemplar.svg#only-light){ align=right }
![CTemplar Logo](/assets/img/email/ctemplar-dark.svg#only-dark){ align=right }
![CTemplar Logo](assets/img/email/ctemplar.svg#only-light){ align=right }
![CTemplar Logo](assets/img/email/ctemplar-dark.svg#only-dark){ align=right }
**CTemplar** is an email service with a focus on security and privacy through the use of standard OpenPGP encryption. CTemplar has been in operation since **2018** and is run from Iceland. Paid accounts start with 5GB. They offer free accounts by [invitation](https://ctemplar.com/email-creation-restriction/).
@ -427,7 +427,7 @@ There is another standard that was popular with business called [S/MIME](https:/
### What software can I use to get E2EE?
Email providers which allow you to use standard access protocols like [IMAP](https://en.wikipedia.org/wiki/Internet_Message_Access_Protocol) and [SMTP](https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol) can be used with any of the [email clients we recommend](/email-clients). This can be less secure as you are now relying on email providers to ensure that their encryption implementation works and has not been compromised in anyway.
Email providers which allow you to use standard access protocols like [IMAP](https://en.wikipedia.org/wiki/Internet_Message_Access_Protocol) and [SMTP](https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol) can be used with any of the [email clients we recommend](email-clients.md). This can be less secure as you are now relying on email providers to ensure that their encryption implementation works and has not been compromised in anyway.
### How do I protect my private keys?
@ -465,14 +465,14 @@ When emails travel between email providers an encrypted connection is negotiated
!!! recommendation
![AnonAddy logo](/assets/img/email/anonaddy.svg#only-light){ align=right }
![AnonAddy logo](/assets/img/email/anonaddy-dark.svg#only-dark){ align=right }
![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ align=right }
![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ align=right }
**[AnonAddy](https://anonaddy.com)** lets users create aliases that forward to their email address. Can be self-hosted. [Source code on GitHub](https://github.com/anonaddy/anonaddy).
!!! recommendation
![Simplelogin logo](/assets/img/email/simplelogin.svg){ align=right }
![Simplelogin logo](assets/img/email/simplelogin.svg){ align=right }
**[SimpleLogin](https://simplelogin.io)** allows you to easily create aliases for your email. Can be self-hosted. [Source code on GitHub](https://github.com/simple-login/app).
@ -484,13 +484,13 @@ Advanced users may consider setting up their own email server. Mailservers requi
!!! recommendation
![Mail-in-a-Box logo](/assets/img/email/mail-in-a-box.svg){ align=right }
![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ align=right }
**[Mail-in-a-Box](https://mailinabox.email)** is an automated setup script for deploying a mail server on Ubuntu. Its goal is to make it easier for users to set up their own mail server.
!!! recommendation
![Mailcow logo](/assets/img/email/mailcow.svg){ align=right }
![Mailcow logo](assets/img/email/mailcow.svg){ align=right }
**[Mailcow](https://mailcow.email)** is a more advanced mail server perfect for those with a bit more Linux experience. It has everything you need in a Docker container: A mailserver with DKIM support, antivirus and spam monitoring, webmail and ActiveSync with SOGo, and web-based administration with 2FA support. **[Mailcow Dockerized docs](https://mailcow.github.io/mailcow-dockerized-docs/)**

View File

@ -12,8 +12,8 @@ The options listed here are multi-platform and great for creating encrypted back
!!! recommendation
![VeraCrypt logo](/assets/img/encryption-software/veracrypt.svg#only-light){ align=right }
![VeraCrypt logo](/assets/img/encryption-software/veracrypt-dark.svg#only-dark){ align=right }
![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ align=right }
![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ align=right }
**VeraCrypt** is a source-available freeware utility used for on-the-fly encryption. It can create a virtual encrypted disk within a file, encrypt a partition, or encrypt the entire storage device with pre-boot authentication.
@ -35,7 +35,7 @@ Truecrypt has been [audited a number of times](https://en.wikipedia.org/wiki/Tru
!!! recommendation
![Cryptomator logo](/assets/img/encryption-software/cryptomator.svg){ align=right }
![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ align=right }
**Cryptomator** makes it easy for you to upload files to the cloud in a virtual encrypted file system.
@ -57,7 +57,7 @@ Some of the Cryptomator Crypto Libraries have been [audited](https://cryptomator
!!! recommendation
![Picocrypt logo](/assets/img/encryption-software/picocrypt.svg){ align=right }
![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ align=right }
**Picocrypt** is a small and simple encryption tool that provides modern encryption. Picocrypt uses the secure XChaCha20 cipher and the Argon2id key derivation function to provide a high level of security. It uses Go's standard x/crypto modules for its encryption features.
@ -77,7 +77,7 @@ Modern operating systems include [disk encryption](https://en.wikipedia.org/wiki
!!! recommendation
![BitLocker logo](/assets/img/encryption-software/bitlocker.png){ align=right }
![BitLocker logo](assets/img/encryption-software/bitlocker.png){ align=right }
**BitLocker** is the full volume encryption solution bundled with Microsoft Windows. The main reason we recommend it is because of its [use of TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). [ElcomSoft](https://en.wikipedia.org/wiki/ElcomSoft), a forensics company, has written about it in [Understanding BitLocker TPM Protection](https://blog.elcomsoft.com/2021/01/understanding-BitLocker-tpm-protection/).
@ -122,7 +122,7 @@ BitLocker is [only supported](https://support.microsoft.com/en-us/windows/turn-o
!!! recommendation
![FileVault logo](/assets/img/encryption-software/filevault.png){ align=right }
![FileVault logo](assets/img/encryption-software/filevault.png){ align=right }
**FileVault** is the on-the-fly volume encryption solution built into macOS. FileVault is recommended because it [leverages](https://support.apple.com/guide/security/volume-encryption-with-filevault-sec4c6dc1b6e/web) hardware security capabilities present on an Apple silicon SoC or T2 Security Chip.
@ -134,7 +134,7 @@ We recommend storing a local recovery key in a secure place as opposed to utiliz
!!! recommendation
![LUKS logo](/assets/img/encryption-software/luks.png){ align=right }
![LUKS logo](assets/img/encryption-software/luks.png){ align=right }
**LUKS** is the default full disk encryption method for Linux. It can be used to encrypt full volumes, partitions, or create encrypted containers.
@ -170,8 +170,8 @@ Browser-based encryption can be useful when you need to encrypt a file but canno
!!! recommendation
![hat.sh logo](/assets/img/encryption-software/hat-sh.png#only-light){ align=right }
![hat.sh logo](/assets/img/encryption-software/hat-sh-dark.png#only-dark){ align=right }
![hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ align=right }
![hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ align=right }
**Hat.sh** is a web application that provides secure client-side file encryption in your browser. It can also be self-hosted and is useful if you need to encrypt a file but cannot install any software on your device due to organizational policies.
@ -188,7 +188,7 @@ Tools with command-line interfaces are useful for intergrating [shell scripts](h
!!! recommendation
![Kryptor logo](/assets/img/encryption-software/kryptor.png){ align=right }
![Kryptor logo](assets/img/encryption-software/kryptor.png){ align=right }
**Kryptor** is a free and open source file encryption and signing tool that makes use of modern and secure cryptographic algorithms. It aims to be a better version of [age](https://github.com/FiloSottile/age) and [Minisign](https://jedisct1.github.io/minisign/) to provide a simple, user friendly alternative to GPG.
@ -204,7 +204,7 @@ Tools with command-line interfaces are useful for intergrating [shell scripts](h
!!! recommendation
![Tomb logo](/assets/img/encryption-software/tomb.png){ align=right }
![Tomb logo](assets/img/encryption-software/tomb.png){ align=right }
**Tomb** is an is a command-line shell wrapper for LUKS. It supports steganography via [third-party tools](https://github.com/dyne/Tomb#how-does-it-work).
@ -231,7 +231,7 @@ When encrypting with PGP, the user has the option to configure different options
!!! recommendation
![GNU Privacy Guard logo](/assets/img/encryption-software/gnupg.svg){ align=right }
![GNU Privacy Guard logo](assets/img/encryption-software/gnupg.svg){ align=right }
**GnuPG** is a GPL-licensed alternative to the PGP suite of cryptographic software. GnuPG is compliant with [RFC 4880](https://tools.ietf.org/html/rfc4880), which is the current IETF specification of OpenPGP. The GnuPG project has been working on an [updated draft](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/) in an attempt to modernize OpenPGP. GnuPG is a part of the Free Software Foundation's GNU software project and has received major [funding](https://gnupg.org/blog/20220102-a-new-future-for-gnupg.html) from the German government.
@ -248,7 +248,7 @@ When encrypting with PGP, the user has the option to configure different options
!!! recommendation
![GPG4win logo](/assets/img/encryption-software/gpg4win.svg){ align=right }
![GPG4win logo](assets/img/encryption-software/gpg4win.svg){ align=right }
**GPG4win** is a package for Windows from [Intevation and g10 Code](https://gpg4win.org/impressum.html). It includes [various tools](https://gpg4win.org/about.html) that assist PGP users on Microsoft Windows. The project was initiated and originally [funded by](https://web.archive.org/web/20190425125223/https://joinup.ec.europa.eu/news/government-used-cryptography) Germany's Federal Office for Information Security (BSI) in 2005.
@ -262,9 +262,9 @@ When encrypting with PGP, the user has the option to configure different options
!!! recommendation
![GPG Suite logo](/assets/img/encryption-software/gpgsuite.png){ align=right }
![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ align=right }
**GPG Suite** provides OpenPGP support for [Apple Mail](/email-clients/#apple-mail) and macOS. GPGTools GmbH costs $24€ yearly for their support plan and includes a 30-day trial.
**GPG Suite** provides OpenPGP support for [Apple Mail](email-clients.md#apple-mail) and macOS. GPGTools GmbH costs $24€ yearly for their support plan and includes a 30-day trial.
We recommend taking a look at their [First steps](https://gpgtools.tenderapp.com/kb/how-to/first-steps-where-do-i-start-where-do-i-begin-setup-gpgtools-create-a-new-key-your-first-encrypted-email) and [Knowledge base](https://gpgtools.tenderapp.com/kb) for support.
@ -276,15 +276,15 @@ When encrypting with PGP, the user has the option to configure different options
!!! note
We suggest [Canary Mail](/email-clients/#canary-mail) for using PGP with email on iOS devices.
We suggest [Canary Mail](email-clients/#canary-mail) for using PGP with email on iOS devices.
### OpenKeychain
!!! recommendation
![OpenKeychain logo](/assets/img/encryption-software/openkeychain.svg){ align=right }
![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ align=right }
**OpenKeychain** is an Android implementation of GnuPG. It's commonly required by mail clients such as [K-9 Mail](/email-clients/#k-9-mail) and [FairEmail](/email-clients/#fairemail) and other Android apps to provide encryption support. Cure53 completed a [security audit](https://www.openkeychain.org/openkeychain-3-6) of OpenKeychain 3.6 in October 2015. Technical details about the audit and OpenKeychain's solutions can be found [here](https://github.com/open-keychain/open-keychain/wiki/cure53-Security-Audit-2015).
**OpenKeychain** is an Android implementation of GnuPG. It's commonly required by mail clients such as [K-9 Mail](email-clients.md#k-9-mail) and [FairEmail](email-clients.md#fairemail) and other Android apps to provide encryption support. Cure53 completed a [security audit](https://www.openkeychain.org/openkeychain-3-6) of OpenKeychain 3.6 in October 2015. Technical details about the audit and OpenKeychain's solutions can be found [here](https://github.com/open-keychain/open-keychain/wiki/cure53-Security-Audit-2015).
[Visit openkeychain.org](https://www.openkeychain.org){ .md-button .md-button--primary } [Privacy Policy](https://www.openkeychain.org/help/privacy-policy){ .md-button }

View File

@ -10,7 +10,7 @@ Discover how to privately share your files between your devices, with your frien
!!! recommendation
![OnionShare logo](/assets/img/file-sharing-sync/onionshare.svg){ align=right }
![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ align=right }
**OnionShare** is an open-source tool that lets you securely and anonymously share a file of any size. It works by starting a web server accessible as a Tor onion service, with an unguessable URL that you can share with the recipients to download or send files.
@ -26,7 +26,7 @@ Discover how to privately share your files between your devices, with your frien
!!! recommendation
![Magic Wormhole logo](/assets/img/file-sharing-sync/magic_wormhole.png){ align=right }
![Magic Wormhole logo](assets/img/file-sharing-sync/magic_wormhole.png){ align=right }
Magic Wormhole is a package that provides a library and a command-line tool named wormhole, which makes it possible to get arbitrary-sized files and directories (or short pieces of text) from one computer to another. Their motto: "Get things from one computer to another, safely.
@ -42,7 +42,7 @@ Discover how to privately share your files between your devices, with your frien
!!! recommendation
![FreedomBox logo](/assets/img/file-sharing-sync/freedombox.svg){ align=right }
![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ align=right }
**FreedomBox** is a operating system designed to be run on a [single-board computer (SBC)](https://en.wikipedia.org/wiki/Single-board_computer). The purpose is to make it easy to set up server applications that you might want to selfhost.
@ -57,7 +57,7 @@ Discover how to privately share your files between your devices, with your frien
!!! recommendation
![Syncthing logo](/assets/img/file-sharing-sync/syncthing.svg){ align=right }
![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ align=right }
**Syncthing** replaces proprietary sync and cloud services with something open, trustworthy, and decentralized. Your data is your data alone and you deserve to choose where it is stored, if it is shared with some third-party, and how it is transmitted over the Internet.
@ -73,7 +73,7 @@ Discover how to privately share your files between your devices, with your frien
!!! recommendation
![git-annex logo](/assets/img/file-sharing-sync/gitannex.svg){ align=right }
![git-annex logo](assets/img/file-sharing-sync/gitannex.svg){ align=right }
**git-annex** allows managing files with git, without checking the file contents into git. While that may seem paradoxical, it is useful when dealing with files larger than git can currently easily handle, whether due to limitations in memory, time, or disk space.

View File

@ -10,7 +10,7 @@ Linux distributions are commonly recommended for privacy protection and user fre
!!! recommendation
![Fedora logo](/assets/img/linux-desktop/fedora-workstation.svg){ align=right }
![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ align=right }
**Fedora Workstation** is our recommended distribution for users new to Linux. Fedora generally adopts newer technologies before other distributions e.g., [Wayland](https://wayland.freedesktop.org/), [PipeWire](https://pipewire.org), and soon, [FS-Verity](https://fedoraproject.org/wiki/Changes/FsVerityRPM). These new technologies often come with improvements in security, privacy, and usability in general.
@ -22,7 +22,7 @@ Fedora has a semi-[rolling release](https://en.wikipedia.org/wiki/Rolling_releas
!!! recommendation
![openSUSE Tumbleweed logo](/assets/img/linux-desktop/opensuse-tumbleweed.svg){ align=right }
![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ align=right }
**openSUSE Tumbleweed** is a stable [rolling release](https://en.wikipedia.org/wiki/Rolling_release) distribution.
@ -36,7 +36,7 @@ Tumbleweed follows a rolling release model where each update is released as a sn
!!! recommendation
![Arch logo](/assets/img/linux-desktop/archlinux.svg){ align=right }
![Arch logo](assets/img/linux-desktop/archlinux.svg){ align=right }
**Arch Linux** is a lightweight, do-it-yourself (DIY) distribution meaning that you only get what you install. For more information see their [FAQ](https://wiki.archlinux.org/title/Frequently_asked_questions).
@ -44,7 +44,7 @@ Tumbleweed follows a rolling release model where each update is released as a sn
Arch Linux has a rolling release cycle. There is no fixed release schedule and packages are updated very frequently.
Being a DIY distribution, the user is [expected to setup and maintain](/linux-desktop/#arch-based-distributions) their system. Arch has an [official installer](https://wiki.archlinux.org/title/Archinstall) to make the installation process a little easier.
Being a DIY distribution, the user is [expected to setup and maintain](#arch-based-distributions) their system. Arch has an [official installer](https://wiki.archlinux.org/title/Archinstall) to make the installation process a little easier.
A large portion of [Arch Linuxs packages](https://reproducible.archlinux.org) are [reproducible](https://reproducible-builds.org).
@ -54,7 +54,7 @@ A large portion of [Arch Linuxs packages](https://reproducible.archlinux.org)
!!! recommendation
![Fedora Silverblue logo](/assets/img/linux-desktop/fedora-silverblue.svg){ align=right }
![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ align=right }
**Fedora Silverblue** and **Fedora Kinoite** are immutable variants of Fedora with a strong focus on container workflows. Silverblue comes with the [GNOME](https://www.gnome.org/) desktop environment while Kinoite comes with [KDE](https://kde.org/). Silverblue and Kinoite follow the same release schedule as Fedora Workstation, benefiting from the same fast updates and staying very close to upstream.
@ -72,7 +72,7 @@ As an alternative to Flatpaks, there is the option of [Toolbox](https://docs.fed
!!! recommendation
![NixOS logo](/assets/img/linux-desktop/nixos.svg){ align=right }
![NixOS logo](assets/img/linux-desktop/nixos.svg){ align=right }
NixOS is an independent distribution based on the Nix package manager with a focus on reproducibility and reliability.
@ -94,7 +94,7 @@ Nix is a source-based package manager; if theres no pre-built available in th
!!! recommendation
![Whonix logo](/assets/img/linux-desktop/whonix.svg){ align=right }
![Whonix logo](assets/img/linux-desktop/whonix.svg){ align=right }
**Whonix** is based on [Kicksecure](https://www.whonix.org/wiki/Kicksecure), a security-focused fork of Debian. It aims to provide privacy, security, and anonymity on the internet.
@ -112,7 +112,7 @@ Whonix is best used [in conjunction with Qubes](https://www.whonix.org/wiki/Qube
!!! recommendation
![Tails logo](/assets/img/linux-desktop/tails.svg){ align=right }
![Tails logo](assets/img/linux-desktop/tails.svg){ align=right }
**Tails** is a live operating system based on Debian that routes all communications through Tor.
@ -239,7 +239,7 @@ There isnt much point in randomizing the MAC address for Ethernet connections
### Other identifiers
There are other system [identifiers](https://madaidans-insecurities.github.io/guides/linux-hardening.html#identifiers) which you may wish to be careful about. You should give this some thought to see if it applies to your [threat model](/threat-modeling):
There are other system [identifiers](https://madaidans-insecurities.github.io/guides/linux-hardening.html#identifiers) which you may wish to be careful about. You should give this some thought to see if it applies to your [threat model](threat-modeling.md):
- [10.1 Hostnames and usernames](https://madaidans-insecurities.github.io/guides/linux-hardening.html#hostnames)
- [10.2 Time zones / Locales / Keymaps](https://madaidans-insecurities.github.io/guides/linux-hardening.html#timezones-locales-keymaps)
@ -346,7 +346,7 @@ Note that setting `kernel.unprivileged_userns_clone=0` will stop Flatpak, Snap (
### Linux-Hardened
Some distributions like Arch Linux have the [linux-hardened](https://github.com/anthraxx/linux-hardened), kernel package. It includes [hardening patches](https://wiki.archlinux.org/title/security#Kernel_hardening) and more security-conscious defaults. Linux-Hardened has `kernel.unprivileged_userns_clone=0` disabled by default. See the [warning above](/linux-desktop/#kernel-hardening) about how this might impact you.
Some distributions like Arch Linux have the [linux-hardened](https://github.com/anthraxx/linux-hardened), kernel package. It includes [hardening patches](https://wiki.archlinux.org/title/security#Kernel_hardening) and more security-conscious defaults. Linux-Hardened has `kernel.unprivileged_userns_clone=0` disabled by default. See the [warning above](#kernel-hardening) about how this might impact you.
### Simultaneous multithreading (SMT)
@ -382,7 +382,7 @@ On systems where [`pam_faillock`](https://man7.org/linux/man-pages/man8/pam_tall
To better protect your [USB](https://en.wikipedia.org/wiki/USB) ports from attacks such as [BadUSB](https://en.wikipedia.org/wiki/BadUSB) we recommend [USBGuard](https://github.com/USBGuard/usbguard). USBGuard has [documentation](https://github.com/USBGuard/usbguard#documentation) as does the [Arch Wiki](https://wiki.archlinux.org/title/USBGuard).
Another alternative option if youre using the [linux-hardened](/linux-desktop/#linux-hardened) is the [`deny_new_usb`](https://github.com/GrapheneOS/linux-hardened/commit/96dc427ab60d28129b36362e1577b6673b0ba5c4) sysctl. See [Preventing USB Attacks with `linux-hardened`](https://blog.lizzie.io/preventing-usb-attacks-with-linux-hardened.html).
Another alternative option if youre using the [linux-hardened](#linux-hardened) is the [`deny_new_usb`](https://github.com/GrapheneOS/linux-hardened/commit/96dc427ab60d28129b36362e1577b6673b0ba5c4) sysctl. See [Preventing USB Attacks with `linux-hardened`](https://blog.lizzie.io/preventing-usb-attacks-with-linux-hardened.html).
### Secure Boot

View File

@ -10,7 +10,7 @@ When sharing files, be sure to remove associated metadata. Image files commonly
!!! recommendation
![MAT2 logo](/assets/img/metadata-removal/mat2.svg){ align=right }
![MAT2 logo](assets/img/metadata-removal/mat2.svg){ align=right }
**MAT2** is free software, which allows the metadata to be removed from image, audio, torrent, and document file types. It provides both a command line tool and a graphical user interface via an [extension for Nautilus](https://0xacab.org/jvoisin/mat2/-/tree/master/nautilus), the default file manager of [GNOME](https://www.gnome.org), and [Dolphin](https://0xacab.org/jvoisin/mat2/-/tree/master/dolphin), the default file manager of [KDE](https://kde.org).
@ -29,7 +29,7 @@ When sharing files, be sure to remove associated metadata. Image files commonly
!!! recommendation
![ExifCleaner logo](/assets/img/metadata-removal/exifcleaner.svg){ align=right }
![ExifCleaner logo](assets/img/metadata-removal/exifcleaner.svg){ align=right }
**ExifCleaner** is a freeware, open source graphical app that uses [ExifTool](https://exiftool.org) to remove [EXIF](https://en.wikipedia.org/wiki/Exif) metadata from images, videos, and PDF documents using a simple drag and drop interface. It supports multi-core batch processing and dark mode.
@ -47,7 +47,7 @@ When sharing files, be sure to remove associated metadata. Image files commonly
!!! recommendation
![Scrambled Exif logo](/assets/img/metadata-removal/scrambled-exif.svg){ align=right }
![Scrambled Exif logo](assets/img/metadata-removal/scrambled-exif.svg){ align=right }
**Scrambled Exif** is a metadata removal tool for Android. It can remove [EXIF](https://en.wikipedia.org/wiki/Exif) data for many file formats and has been translated into [many](https://gitlab.com/juanitobananas/scrambled-exif/-/tree/master/app/src/main/res) languages.
@ -66,7 +66,7 @@ When sharing files, be sure to remove associated metadata. Image files commonly
!!! recommendation
![Imagepipe logo](/assets/img/metadata-removal/imagepipe.svg){ align=right }
![Imagepipe logo](assets/img/metadata-removal/imagepipe.svg){ align=right }
**Imagepipe** is a a paint app for Android that can be used to redact photos and also delete [EXIF](https://en.wikipedia.org/wiki/Exif) metadata. It has been translated into [many](https://codeberg.org/Starfish/Imagepipe#translations) languages.
@ -84,7 +84,7 @@ When sharing files, be sure to remove associated metadata. Image files commonly
!!! recommendation
![Metapho logo](/assets/img/metadata-removal/metapho.jpg){ align=right }
![Metapho logo](assets/img/metadata-removal/metapho.jpg){ align=right }
Metapho is a simple and clean viewer for photo metadata such as date, file name, size, camera model, shutter speed, and location.
@ -99,7 +99,7 @@ When sharing files, be sure to remove associated metadata. Image files commonly
!!! recommendation
![ExifTool logo](/assets/img/metadata-removal/exiftool.png){ align=right }
![ExifTool logo](assets/img/metadata-removal/exiftool.png){ align=right }
**ExifTool** is the [original](https://en.wikipedia.org/wiki/ExifTool) perl library and command-line application for reading, writing, and editing meta information (EXIF, IPTC, XMP, and more) in a wide variety of file formats (JPEG, TIFF, PNG, PDF, RAW, and more).

View File

@ -8,7 +8,7 @@ icon: 'material/two-factor-authentication'
!!! recommendation
![YubiKeys](/assets/img/multi-factor-authentication/yubikey.png)
![YubiKeys](assets/img/multi-factor-authentication/yubikey.png)
The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 WebAuthn](https://en.wikipedia.org/wiki/WebAuthn), [Yubico OTP](https://developers.yubico.com/OTP/), [PIV](https://en.wikipedia.org/wiki/FIPS_201), [OpenPGP](https://developers.yubico.com/PGP/), [TOTP and HOTP](https://developers.yubico.com/OATH/) authentication.
@ -29,7 +29,7 @@ For models which support HOTP and TOTP, there are 2 slots in the OTP interface w
!!! recommendation
![Nitrokey](/assets/img/multi-factor-authentication/nitrokey.jpg){ align=right }
![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right }
**Nitrokey** has a security key capable of [FIDO2 WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
@ -67,7 +67,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
!!! recommendation
![Aegis logo](/assets/img/multi-factor-authentication/aegis.png){ align=right }
![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ align=right }
**Aegis Authenticator** is a free, secure and open source app to manage your 2-step verification tokens for your online services.
@ -82,7 +82,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
!!! recommendation
![Raivo OTP logo](/assets/img/multi-factor-authentication/raivo-otp.png){ align=right }
![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ align=right }
**Raivo OTP** is a native, lightweight and secure time-based (TOTP) & counter-based (HOTP) password client for iOS. Raivo OTP offers optional iCloud backup & sync. Raivo OTP is also available for macOS in the form of a status bar application, however the Mac app does not work independently of the iOS app.

View File

@ -11,9 +11,9 @@ A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to k
!!! recommendation
![Fluent Reader logo](/assets/img/news-aggregators/fluent-reader.svg){ align=right }
![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ align=right }
**Fluent Reader** is a secure cross-platform news aggregator that has useful privacy features such as deletion of cookies on exit, strict [content security policies (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) and proxy support, meaning you can use it over [Tor](/self-contained-networks/#tor).
**Fluent Reader** is a secure cross-platform news aggregator that has useful privacy features such as deletion of cookies on exit, strict [content security policies (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) and proxy support, meaning you can use it over [Tor](self-contained-networks.md#tor).
[Visit hyliu.me](https://hyliu.me/fluent-reader){ .md-button .md-button--primary } [Privacy Policy](https://github.com/yang991178/fluent-reader/wiki/Privacy){ .md-button }
@ -26,7 +26,7 @@ A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to k
!!! recommendation
![GNOME Feeds logo](/assets/img/news-aggregators/gfeeds.svg){ align=right }
![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ align=right }
**GNOME Feeds** is an [RSS](https://en.wikipedia.org/wiki/RSS) and [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)) news reader for [GNOME](https://www.gnome.org). It has a simple interface and is quite fast.
@ -41,7 +41,7 @@ A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to k
!!! recommendation
![Akregator logo](/assets/img/news-aggregators/akregator.svg){ align=right }
![Akregator logo](assets/img/news-aggregators/akregator.svg){ align=right }
**Akregator** is a news feed reader that is a part of the [KDE](https://kde.org) project. It comes with a fast search, advanced archiving functionality and an internal browser for easy news reading.
@ -55,7 +55,7 @@ A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to k
!!! recommendation
![Handy News Reader logo](/assets/img/news-aggregators/handy-news-reader.svg){ align=right }
![Handy News Reader logo](assets/img/news-aggregators/handy-news-reader.svg){ align=right }
**Handy News Reader** is a fork of [Flym](https://github.com/FredJul/Flym) that has many [features](https://github.com/yanus171/Handy-News-Reader#features) and works well with folders of RSS feeds. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)) and [RDF](https://en.wikipedia.org/wiki/RDF%2FXML).
@ -70,7 +70,7 @@ A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to k
!!! recommendation
![NetNewsWire logo](/assets/img/news-aggregators/netnewswire.png){ align=right }
![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ align=right }
**NetNewsWire** a free and open-source feed reader for macOS and iOS with a focus on a native design and feature set. It supports the typical feed formats alongside built-in support for Twitter and Reddit feeds.
@ -85,8 +85,8 @@ A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to k
!!! recommendation
![Miniflux logo](/assets/img/news-aggregators/miniflux.svg#only-light){ align=right }
![Miniflux logo](/assets/img/news-aggregators/miniflux-dark.svg#only-dark){ align=right }
![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ align=right }
![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ align=right }
**Miniflux** is a web-based news aggregator that you can self-host. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed).
@ -99,7 +99,7 @@ A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to k
!!! recommendation
![Newsboat logo](/assets/img/news-aggregators/newsboat.svg){ align=right }
![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ align=right }
**Newsboat** is an RSS/Atom feed reader for the text console. It's an actively maintained fork of [Newsbeuter](https://en.wikipedia.org/wiki/Newsbeuter). It is very lightweight, and ideal for use over [Secure Shell](https://en.wikipedia.org/wiki/Secure_Shell).

View File

@ -13,7 +13,7 @@ If you are currently using an application like Evernote, Google Keep, or Microso
!!! recommendation
![Joplin logo](/assets/img/notebooks/joplin.svg){ align=right }
![Joplin logo](assets/img/notebooks/joplin.svg){ align=right }
**Joplin** is a free, open-source, and fully-featured note-taking and to-do application which can handle a large number of markdown notes organized into notebooks and tags. It offers end-to-end encryption and can sync through Nextcloud, Dropbox, and more. It also offers easy import from Evernote and plain-text notes.
@ -38,7 +38,7 @@ If you are currently using an application like Evernote, Google Keep, or Microso
!!! recommendation
![Standard Notes logo](/assets/img/notebooks/standard-notes.svg){ align=right }
![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ align=right }
Standard Notes is a simple and private notes app that makes your notes easy and available everywhere you are. It features end-to-end encryption on every platform, and a powerful desktop experience with themes and custom editors. It has also been [independently audited (PDF)](https://s3.amazonaws.com/standard-notes/security/Report-SN-Audit.pdf).

View File

@ -7,8 +7,8 @@ Stay safe and secure online with an encrypted and open-source password manager.
## Password Best Practices
- Always use unique passwords. Don't make yourself a victim of "[credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing)".
- Store an exported backup of your passwords in an [encrypted container](/encryption) on another storage device. This can be useful if something happens to your device or the service you are using.
- If possible, store [Time-based one-time password (TOTP)](https://en.wikipedia.org/wiki/Time-based_one-time_password) tokens in a separate [TOTP app](/security/multi-factor-authentication/#authenticator-apps) and not your password manager. TOTP codes are generated from a "[shared secret](https://en.wikipedia.org/wiki/Time-based_one-time_password#Security)". If the secret is obtained by an adversary they can generate TOTP values. Typically, mobile platforms have better app isolation and more secure methods for storing sensitive credentials.
- Store an exported backup of your passwords in an [encrypted container](encryption) on another storage device. This can be useful if something happens to your device or the service you are using.
- If possible, store [Time-based one-time password (TOTP)](https://en.wikipedia.org/wiki/Time-based_one-time_password) tokens in a separate [TOTP app](security/multi-factor-authentication.md#authenticator-apps) and not your password manager. TOTP codes are generated from a "[shared secret](https://en.wikipedia.org/wiki/Time-based_one-time_password#Security)". If the secret is obtained by an adversary they can generate TOTP values. Typically, mobile platforms have better app isolation and more secure methods for storing sensitive credentials.
## Local Password Managers
@ -18,7 +18,7 @@ These password managers store the password database locally.
!!! recommendation
![KeepassXC logo](/assets/img/password-management/keepassxc.svg){ align=right }
![KeepassXC logo](assets/img/password-management/keepassxc.svg){ align=right }
**KeePassXC** is a community fork of KeePassX, a native cross-platform port of KeePass Password Safe, with the goal to extend and improve it with new features and bugfixes to provide a feature-rich, fully cross-platform and modern open-source password manager.
@ -41,7 +41,7 @@ These password managers store the password database locally.
!!! recommendation
![KeepassDX logo](/assets/img/password-management/keepassdx.svg){ align=right }
![KeepassDX logo](assets/img/password-management/keepassdx.svg){ align=right }
**KeepassDX** is a lightweight password manager for Android, allows editing encrypted data in a single file in KeePass format and can fill in the forms in a secure way. [Contributor Pro](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.pro) allows unlocking cosmetic content and non-standard protocol features, but more importantly, it helps and encourages development.
@ -62,7 +62,7 @@ These password managers sync up to a cloud server that may be self-hostable.
!!! recommendation
![Bitwarden logo](/assets/img/password-management/bitwarden.svg){ align=right }
![Bitwarden logo](assets/img/password-management/bitwarden.svg){ align=right }
**Bitwarden** is a free and open-source password manager. It aims to solve password management problems for individuals, teams, and business organizations. Bitwarden is among the easiest and safest solutions to store all of your logins and passwords while conveniently keeping them synced between all of your devices. If you don't want to use the Bitwarden cloud, you can easily host your own Bitwarden server.
@ -85,9 +85,9 @@ These password managers sync up to a cloud server that may be self-hostable.
!!! recommendation
![Psono logo](/assets/img/password-management/psono.svg){ align=right }
![Psono logo](assets/img/password-management/psono.svg){ align=right }
**Psono** is a free and open source password manager from Germany, with a focus on password management for teams. It can be [self-hosted](/password-management/#password-management-servers). Psono supports secure sharing of passwords, files, bookmarks, and emails. All secrets are protected by a master password.
**Psono** is a free and open source password manager from Germany, with a focus on password management for teams. It can be [self-hosted](#password-management-servers). Psono supports secure sharing of passwords, files, bookmarks, and emails. All secrets are protected by a master password.
[Visit psono.com](https://psono.com){ .md-button .md-button--primary } [Privacy Policy](https://psono.com/privacy-policy){ .md-button }
@ -107,8 +107,8 @@ These products are self-hostable synchronization for cloud based password manage
!!! recommendation
![Vaultwarden logo](/assets/img/password-management/vaultwarden.svg#only-light){ align=right }
![Vaultwarden logo](/assets/img/password-management/vaultwarden-dark.svg#only-dark){ align=right }
![Vaultwarden logo](assets/img/password-management/vaultwarden.svg#only-light){ align=right }
![Vaultwarden logo](assets/img/password-management/vaultwarden-dark.svg#only-dark){ align=right }
**Vaultwarden** is an alternative implementation of the Bitwarden server API written in Rust and compatible with upstream Bitwarden clients, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal.
@ -122,7 +122,7 @@ These products are self-hostable synchronization for cloud based password manage
!!! recommendation
![Psono Server logo](/assets/img/password-management/psono.svg){ align=right }
![Psono Server logo](assets/img/password-management/psono.svg){ align=right }
Psono provides [extensive documentation](https://doc.psono.com/) for their product. The [web-client](https://doc.psono.com/admin/installation/install-webclient.html#installation-with-docker) for Psono can be self hosted; alternatively, you can choose the the full [Community Edition](https://doc.psono.com/admin/installation/install-server-ce.html) or the [Enterprise Edition](https://doc.psono.com/admin/installation/install-server-ee.html) with additional features.
@ -140,7 +140,7 @@ These products are minimal password managers that can be used within scripting a
!!! recommendation
![gopass logo](/assets/img/password-management/gopass.svg){ align=right }
![gopass logo](assets/img/password-management/gopass.svg){ align=right }
**gopass** is a password manager for the command line written in Go. It works on all major desktop and server operating systems (Linux, MacOS, BSD, Windows).

View File

@ -10,7 +10,7 @@ Get working and collaborating without sharing your documents with a middleman or
!!! recommendation
![LibreOffice logo](/assets/img/productivity/libreoffice.svg){ align=right }
![LibreOffice logo](assets/img/productivity/libreoffice.svg){ align=right }
**LibreOffice** is a free and open-source office suite with extensive functionality.
@ -32,7 +32,7 @@ Get working and collaborating without sharing your documents with a middleman or
!!! recommendation
![OnlyOffice logo](/assets/img/productivity/onlyoffice.svg){ align=right }
![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ align=right }
**OnlyOffice** is alternative, it is free and open-source office suite with extensive functionality.
@ -53,7 +53,7 @@ Get working and collaborating without sharing your documents with a middleman or
!!! recommendation
![Framadate logo](/assets/img/productivity/framadate.svg){ align=right }
![Framadate logo](assets/img/productivity/framadate.svg){ align=right }
**Framadate** is a free and open-source online service for planning an appointment or making a decision quickly and easily. No registration is required.
@ -68,7 +68,7 @@ Get working and collaborating without sharing your documents with a middleman or
!!! recommendation
![PrivateBin logo](/assets/img/productivity/privatebin.svg){ align=right }
![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right }
**PrivateBin** is a minimalist, open-source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256-bit AES. It is the improved version of ZeroBin.
@ -83,7 +83,7 @@ Do note that PrivateBin uses JavaScript to handle encryption, so you must trust
!!! recommendation
![CryptPad logo](/assets/img/productivity/cryptpad.svg){ align=right }
![CryptPad logo](assets/img/productivity/cryptpad.svg){ align=right }
**CryptPad** is a private-by-design alternative to popular office tools. All content is end-to-end encrypted. Do note that it uses JavaScript to handle encryption, so you must trust the provider to the extent that they do not inject any malicious JavaScript to get your private key. Consider self-hosting to mitigate this threat.
@ -98,8 +98,8 @@ Do note that PrivateBin uses JavaScript to handle encryption, so you must trust
!!! recommendation
![Write.as logo](/assets/img/productivity/writeas.svg#only-light){ align=right }
![Write.as logo](/assets/img/productivity/writeas-dark.svg#only-dark){ align=right }
![Write.as logo](assets/img/productivity/writeas.svg#only-light){ align=right }
![Write.as logo](assets/img/productivity/writeas-dark.svg#only-dark){ align=right }
**Write.as** is a cross-platform, privacy-oriented blogging platform. It's anonymous by default, letting you publish without signing up. If you create an account, it doesn't require any personal information. No ads, distraction-free, and built on a sustainable business model.
@ -120,7 +120,7 @@ Do note that PrivateBin uses JavaScript to handle encryption, so you must trust
!!! recommendation
![VSCodium logo](/assets/img/productivity/vscodium.svg){ align=right }
![VSCodium logo](assets/img/productivity/vscodium.svg){ align=right }
**VSCodium** is a free and open-source project featuring binaries of [Visual Studio Code](https://code.visualstudio.com) without Microsoft's branding/telemetry/licensing.

View File

@ -8,7 +8,7 @@ Qubes OS is a distribution of Linux that uses [Xen](https://en.wikipedia.org/wik
!!! recommendation
![Qubes OS logo](/assets/img/qubes/qubes_os.svg){ align=right }
![Qubes OS logo](assets/img/qubes/qubes_os.svg){ align=right }
**Qubes** is an open-source operating system designed to provide strong security for desktop computing. Qubes is based on Xen, the X Window System, and Linux, and can run most Linux applications and utilize most of the Linux drivers.

View File

@ -8,7 +8,7 @@ icon: material/chat-processing
!!! recommendation
![Signal logo](/assets/img/messengers/signal.svg){ align=right }
![Signal logo](assets/img/messengers/signal.svg){ align=right }
**Signal** is a mobile app developed by Signal Messenger LLC. The app provides instant messaging, as well as voice and video calling.
@ -36,7 +36,7 @@ The protocol was independently [audited](https://eprint.iacr.org/2016/1013.pdf)
!!! recommendation
![Element logo](/assets/img/messengers/element.svg){ align=right }
![Element logo](assets/img/messengers/element.svg){ align=right }
**Element** is the reference client for the [Matrix](https://matrix.org/docs/guides/introduction) protocol, an [open standard](https://matrix.org/docs/spec) for secure decentralized real-time communication.
@ -57,7 +57,7 @@ Profile pictures, reactions, and nicknames are not encrypted.
Group voice and video calls are [not](https://github.com/vector-im/element-web/issues/12878) E2EE, and use Jitsi, but this is expected to change with [Native Group VoIP Signalling](https://github.com/matrix-org/matrix-doc/pull/3401). Group calls have [no authentication](https://github.com/vector-im/element-web/issues/13074) currently, meaning that non room participants can also join the calls. We recommend that you do not use this feature for private meetings.
When using [element-web](https://github.com/vector-im/element-web), you must trust the server hosting the Element client. If your [threat model](/threat-modeling) requires stronger protection, then use a desktop or mobile client instead.
When using [element-web](https://github.com/vector-im/element-web), you must trust the server hosting the Element client. If your [threat model](threat-modeling.md) requires stronger protection, then use a desktop or mobile client instead.
The protocol was independently [audited](https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last) in 2016. The specification for the Matrix protocol can be found in their [documentation](https://spec.matrix.org/latest/). The [Olm](https://matrix.org/docs/projects/other/olm) cryptographic ratchet used by Matrix is an implementation of Signals [Double Ratchet algorithm](https://signal.org/docs/specifications/doubleratchet/).
@ -65,7 +65,7 @@ The protocol was independently [audited](https://matrix.org/blog/2016/11/21/matr
!!! recommendation
![Briar logo](/assets/img/messengers/briar.svg){ align=right }
![Briar logo](assets/img/messengers/briar.svg){ align=right }
**Briar** is an encrypted instant messenger that [connects](https://briarproject.org/how-it-works/) to other clients using the Tor Network. Briar can also connect via Wi-Fi or Bluetooth when in local proximity. Briars local mesh mode can be useful when internet availability is a problem.
@ -88,7 +88,7 @@ Briar supports perfect forward secrecy by using the Bramble [Handshake](https://
!!! recommendation
![Session logo](/assets/img/messengers/session.svg){ align=right }
![Session logo](assets/img/messengers/session.svg){ align=right }
**Session** is an encrypted instant messenger that uses three random [service nodes](https://getsession.org/blog/onion-requests-session-new-message-routing-solution) to route messages anonymously on the [Oxen Network](https://oxen.io).
@ -116,7 +116,7 @@ There are several network architectures commonly used to relay messages between
### Centralized Networks
![Centralized networks diagram](/assets/img/layout/network-centralized.svg){ align=left }
![Centralized networks diagram](assets/img/layout/network-centralized.svg){ align=left }
Centralized messengers are those where all participants are on the same server or network of servers controlled by the same organization.
@ -139,7 +139,7 @@ Some self-hosted messengers allow you to set up your own server. Self-hosting ca
### Federated Networks
![Federated networks diagram](/assets/img/layout/network-decentralized.svg){ align=left }
![Federated networks diagram](assets/img/layout/network-decentralized.svg){ align=left }
Federated messengers use multiple, independent, decentralized servers that are able to talk to each other (email is one example of a federated service). Federation allows system administrators to control their own server and still be a part of the larger communications network.
@ -162,7 +162,7 @@ When self-hosted, users of a federated server can discover and communicate with
### Peer-to-Peer (P2P) Networks
![P2P diagram](/assets/img/layout/network-distributed.svg){ align=left }
![P2P diagram](assets/img/layout/network-distributed.svg){ align=left }
[P2P](https://en.wikipedia.org/wiki/Peer-to-peer) messengers connect to a [distributed network](https://en.wikipedia.org/wiki/Distributed_networking) of nodes to relay a message to the recepient without a third-party server.
@ -183,11 +183,11 @@ P2P networks do not use servers, as users communicate directly between each othe
- Messages can only be sent when both peers are online, however, your client may store messages locally to wait for the contact to return online.
- Generally increases battery usage on mobile devices, because the client must stay connected to the distributed network to learn about who is online.
- Some common messenger features may not be implemented or incompletely, such as message deletion.
- Your [IP address](https://en.wikipedia.org/wiki/IP_address) and that of the contacts you're communicating with may be exposed if you do not use the software in conjunction with a [VPN](/vpn) or [self contained network](/self-contained-networks), such as [Tor](https://www.torproject.org) or [I2P](https://geti2p.net/). Many countries have some form of mass surveillance and/or metadata retention.
- Your [IP address](https://en.wikipedia.org/wiki/IP_address) and that of the contacts you're communicating with may be exposed if you do not use the software in conjunction with a [VPN](vpn.md) or [self contained network](self-contained-networks.md), such as [Tor](https://www.torproject.org) or [I2P](https://geti2p.net/). Many countries have some form of mass surveillance and/or metadata retention.
### Anonymous Routing
![Anonymous routing diagram](/assets/img/layout/network-anonymous-routing.svg){ align=left }
![Anonymous routing diagram](assets/img/layout/network-anonymous-routing.svg){ align=left }
A messenger using [anonymous routing](https://doi.org/10.1007/978-1-4419-5906-5_628) hides either the identity of the sender, the receiver, or evidence that they have been communicating. Ideally, a messenger should hide all three.

View File

@ -11,8 +11,8 @@ Below are a few alternative operating systems, that can be used on routers, Wi-F
!!! recommendation
![OpenWrt logo](/assets/img/router/openwrt.svg#only-light){ align=right }
![OpenWrt logo](/assets/img/router/openwrt-dark.svg#only-dark){ align=right }
![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ align=right }
![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ align=right }
**OpenWrt** is an operating system (in particular, an embedded operating system) based on the Linux kernel, primarily used on embedded devices to route network traffic. The main components are the Linux kernel, util-linux, uClibc, and BusyBox. All components have been optimized for size, to be small enough for fitting into the limited storage and memory available in home routers.
@ -25,8 +25,8 @@ Below are a few alternative operating systems, that can be used on routers, Wi-F
!!! recommendation
![pfSense logo](/assets/img/router/pfsense.svg#only-light){ align=right }
![pfSense logo](/assets/img/router/pfsense-dark.svg#only-dark){ align=right }
![pfSense logo](assets/img/router/pfsense.svg#only-light){ align=right }
![pfSense logo](assets/img/router/pfsense-dark.svg#only-dark){ align=right }
pfSense is an open source firewall/router computer software distribution based on FreeBSD. It is installed on a computer to make a dedicated firewall/router for a network and is noted for its reliability and offering features often only found in expensive commercial firewalls. pfSense is commonly deployed as a perimeter firewall, router, wireless access point, DHCP server, DNS server, and VPN endpoint.

View File

@ -6,13 +6,13 @@ Use a search engine that doesn't build an advertising profile based on your sear
The recommendations here are based on the merits of each service's privacy policy. There is **no guarantee** that these privacy policies are honored.
Consider using a [VPN](/vpn) or [Tor](https://www.torproject.org/) if your threat model requires hiding your IP address from the search provider.
Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org/) if your threat model requires hiding your IP address from the search provider.
### DuckDuckGo
!!! recommendation
![DuckDuckGo logo](/assets/img/search-engines/duckduckgo.svg){ align=right }
![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ align=right }
**DuckDuckGo** is a popular search engine and is the default for the Tor Browser.
@ -30,9 +30,9 @@ DuckDuckGo has a [lite](https://duckduckgo.com/lite) and [html](https://duckduck
!!! recommendation
![Startpage logo](/assets/img/search-engines/startpage.svg){ align=right }
![Startpage logo](assets/img/search-engines/startpage.svg){ align=right }
**Startpage** is a search engine that provides Google search results. It is a very convenient way to get Google search results without experiencing dark patterns such as difficult captchas or being refused access because you used a [VPN](/vpn) or [Tor](https://www.torproject.org/download/).
**Startpage** is a search engine that provides Google search results. It is a very convenient way to get Google search results without experiencing dark patterns such as difficult captchas or being refused access because you used a [VPN](vpn.md) or [Tor](https://www.torproject.org/download/).
[Visit startpage.com](https://www.startpage.com){ .md-button .md-button--primary } [Privacy Policy](https://www.startpage.com/en/privacy-policy){ .md-button }
@ -46,7 +46,7 @@ Startpage's majority shareholder is System1 who is an adtech company. We don't t
!!! recommendation
![Mojeek logo](/assets/img/search-engines/mojeek.svg){ align=right }
![Mojeek logo](assets/img/search-engines/mojeek.svg){ align=right }
**Mojeek** is another privacy friendly search engine. They use their own crawler to provide search data.
@ -60,7 +60,7 @@ Startpage's majority shareholder is System1 who is an adtech company. We don't t
!!! recommendation
![Searx logo](/assets/img/search-engines/searx.svg){ align=right }
![Searx logo](assets/img/search-engines/searx.svg){ align=right }
**Searx** is an open-source, self-hostable, metasearch engine, aggregating the results of other search engines while not storing information about its users. There is a [list of public instances](https://searx.space/).

View File

@ -49,7 +49,7 @@ When logging into a website all a user needs to do is to physically touch the se
The service will then forward the one-time password to the Yubico OTP server for validation. A counter is incremented both on the key and Yubico's validation server. The OTP can only only be used once and when a successful authentication occurs the counter is increased which prevents reuse of the OTP. Yubico does provide a [detailed document](https://developers.yubico.com/OTP/OTPs_Explained.html) about the process.
<figure markdown>
![Yubico OTP](/assets/img/multi-factor-authentication/yubico-otp.png)
![Yubico OTP](../assets/img/multi-factor-authentication/yubico-otp.png)
</figure>
There are some benefits and disadvantages to using Yubico OTP when compared to [TOTP](#time-based-one-time-password-totp).
@ -94,7 +94,7 @@ When configuring your MFA method, keep in mind that it is only as secure as your
You should always have backups for your MFA method. Hardware security keys can get lost, stolen, or simply stop working over time. It is recommended that you have a pair of hardware security keys with the same access to your accounts instead of just one.
When using TOTP with an authenticator app, be sure to back up your recovery keys, the app itself, or copy the "shared secrets" to another instance of the app on a different phone or into an encrypted container (e.g. [VeraCrypt](/encryption/#veracrypt)).
When using TOTP with an authenticator app, be sure to back up your recovery keys, the app itself, or copy the "shared secrets" to another instance of the app on a different phone or into an encrypted container (e.g. [VeraCrypt](../encryption.md#veracrypt)).
### Initial setup

View File

@ -10,7 +10,7 @@ If you are currently browsing clearnet and want to access the dark web, this sec
!!! recommendation
![Tor logo](./assets/img/self-contained-networks/tor.svg){ align=right }
![Tor logo](assets/img/self-contained-networks/tor.svg){ align=right }
The Tor network is a group of volunteer-operated servers that allows people to improve their privacy and security on the Internet. Tor's users employ this network by connecting through a series of virtual tunnels rather than making a direct connection, thus allowing both organizations and individuals to share information over public networks without compromising their privacy. Tor is an effective censorship circumvention tool.
@ -32,8 +32,8 @@ If you are currently browsing clearnet and want to access the dark web, this sec
!!! recommendation
![I2P logo](./assets/img/self-contained-networks/i2p.svg#only-light){ align=right }
![I2P logo](./assets/img/self-contained-networks/i2p-dark.svg#only-dark){ align=right }
![I2P logo](assets/img/self-contained-networks/i2p.svg#only-light){ align=right }
![I2P logo](assets/img/self-contained-networks/i2p-dark.svg#only-dark){ align=right }
The Invisible Internet Project (I2P) is a computer network layer that allows applications to send messages to each other pseudonymously and securely. Uses include anonymous Web surfing, chatting, blogging, and file transfers. The software that implements this layer is called an I2P router and a computer running I2P is called an I2P node. The software is free and open-source and is published under multiple licenses.
@ -55,7 +55,7 @@ If you are currently browsing clearnet and want to access the dark web, this sec
!!! recommendation
![Freenet logo](./assets/img/self-contained-networks/freenet.svg){ align=right }
![Freenet logo](assets/img/self-contained-networks/freenet.svg){ align=right }
Freenet is a peer-to-peer platform for censorship-resistant communication. It uses a decentralized distributed data store to keep and deliver information, and has a suite of free software for publishing and communicating on the Web without fear of censorship. Both Freenet and some of its associated tools were originally designed by Ian Clarke, who defined Freenet's goal as providing freedom of speech on the Internet with strong anonymity protection.

View File

@ -8,7 +8,7 @@ When sharing files, it's important to remove associated metadata. Image files co
While there are plenty of metadata removal tools, they typically aren't convenient to use. The guides featured here aim to detail how to integrate metadata removal tools in a simple fashion by utilizing easy-to-access system features.
!!! tip "Related"
For a list of the metadata removal tools that we recommend, visit our [metadata removal tools](/metadata-removal-tools/) page.
For a list of the metadata removal tools that we recommend, visit our [metadata removal tools](../metadata-removal-tools.md) page.
## macOS
@ -16,7 +16,7 @@ This guide uses the [Shortcuts](https://support.apple.com/guide/shortcuts-mac/in
Shortcuts is quite intuitive to work with, so if you don't like the behavior demoed here then experiment with your own solution. For example, you could set the shortcut to take a clipboard input instead. The sky's the limit.
![ExifTool Quick Action](/assets/img/integrating-metadata-removal/preview-macos.png)
![ExifTool Quick Action](../assets/img/integrating-metadata-removal/preview-macos.png)
### Prerequisites
@ -26,7 +26,7 @@ Shortcuts is quite intuitive to work with, so if you don't like the behavior dem
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
```
2. [ExifTool](/metadata-removal-tools/#exiftool): a tool for viewing and manipulating image, audio, video, and PDF metadata.
2. [ExifTool](../metadata-removal-tools.md#exiftool): a tool for viewing and manipulating image, audio, video, and PDF metadata.
```bash
brew install exiftool
@ -63,7 +63,7 @@ Shortcuts is quite intuitive to work with, so if you don't like the behavior dem
done
```
![macOS metadata removal shortcut](/assets/img/integrating-metadata-removal/shortcut-macos.png)
![macOS metadata removal shortcut](../assets/img/integrating-metadata-removal/shortcut-macos.png)
!!! tip "Worth Mentioning"
The open source [ImageOptim](https://imageoptim.com/mac) app integrates into Finder's *Services* context menu by default. While it is primarily an image optimization app, it also removes metadata.
@ -80,11 +80,11 @@ Shortcuts is quite intuitive to work with, so if you don't like the behavior dem
[Shortcuts](https://support.apple.com/guide/shortcuts/welcome/ios) can be made accessible through the system Share Sheet, making accessing those shortcuts very convenient. This guide will show you how to build a metadata removal shortcut and integrate it into the system *Share Sheet*.
!!! attention
This method of metadata removal is not as comprehensive at removing metadata as utilities like [ExifTool](/metadata-removal-tools/#exiftool) and [mat2](/metadata-removal-tools/#mat2) are.
This method of metadata removal is not as comprehensive at removing metadata as utilities like [ExifTool](../metadata-removal-tools.md#exiftool) and [mat2](../metadata-removal-tools.md#mat2) are.
The lack of *good* metadata removal apps on the App Store is what makes this solution worthwhile.
![Don't preserve metadata shortcut](/assets/img/integrating-metadata-removal/preview-ios.png)
![Don't preserve metadata shortcut](../assets/img/integrating-metadata-removal/preview-ios.png)
### Prerequisites
@ -112,7 +112,7 @@ The lack of *good* metadata removal apps on the App Store is what makes this sol
10. Make sure that you uncheck **preserve metadata**
![iOS/iPadOS metadata removal shortcut](/assets/img/integrating-metadata-removal/shortcut-ios.png)
![iOS/iPadOS metadata removal shortcut](../assets/img/integrating-metadata-removal/shortcut-ios.png)
### Enabling & using the Shortcut
@ -123,11 +123,11 @@ The lack of *good* metadata removal apps on the App Store is what makes this sol
Windows allows users to place files in a **SendTo** folder which then appear in the *Send to* context menu. This guide will show you how to add an ExifTool batch script to this menu.
![Send to metadata removal shortcut](/assets/img/integrating-metadata-removal/preview-windows.jpg)
![Send to metadata removal shortcut](../assets/img/integrating-metadata-removal/preview-windows.jpg)
### Prerequisites
1. [ExifTool](/metadata-removal-tools/#exiftool): a tool for viewing and manipulating image, audio, video, and PDF metadata. We suggest you read the [Installation instructions](https://exiftool.org/install.html#Windows) on the official website.
1. [ExifTool](../metadata-removal-tools.md#exiftool): a tool for viewing and manipulating image, audio, video, and PDF metadata. We suggest you read the [Installation instructions](https://exiftool.org/install.html#Windows) on the official website.
!!! note
You can check if ExifTool is present in your [PATH](https://www.computerhope.com/issues/ch000549.htm) by running `exiftool -ver` in Command Prompt. You should see a version number.

View File

@ -109,7 +109,7 @@ We can see the [connection establishment](https://en.wikipedia.org/wiki/Transmis
## Why **shouldn't** I use encrypted DNS?
In locations where there is internet filtering (or censorship), visiting forbidden resources may have its own consequences which you should consider in your [threat model](/threat-modeling/). We do **not** suggest the use of encrypted DNS for this purpose. Use [Tor](https://torproject.org) or a [VPN](/vpn) instead. If you're using a VPN, you should use your VPN's DNS servers. When using a VPN, you are already trusting them with all your network activity.
In locations where there is internet filtering (or censorship), visiting forbidden resources may have its own consequences which you should consider in your [threat model](../threat-modeling.md). We do **not** suggest the use of encrypted DNS for this purpose. Use [Tor](https://torproject.org) or a [VPN](vpn) instead. If you're using a VPN, you should use your VPN's DNS servers. When using a VPN, you are already trusting them with all your network activity.
When we do a DNS lookup, it's generally because we want to access a resource. Below, we will discuss some of the methods that may disclose your browsing activities even when using encrypted DNS:
@ -281,7 +281,7 @@ Encrypted DNS with a 3rd party should only be used to get around redirects and b
## What is DNSSEC and when is it used?
[Domain Name System Security Extensions (DNSSEC)](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) is used to provide authenticity to the records being fetched from upstream DNS servers. It doesn't provide confidentiality, for that we use one of the [encrypted DNS](/dns#what-is-encrypted-dns) protocols discussed above.
[Domain Name System Security Extensions (DNSSEC)](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) is used to provide authenticity to the records being fetched from upstream DNS servers. It doesn't provide confidentiality, for that we use one of the [encrypted DNS](#what-is-encrypted-dns) protocols discussed above.
## What is QNAME minimization?

View File

@ -15,10 +15,10 @@ For your convenience, everything we recommend is listed below with a link to the
<div class="grid cards" markdown>
- ![Tor Browser logo](/assets/img/browsers/tor.svg){ .twemoji } [Tor Browser](https://www.torproject.org/)
- ![Firefox logo](/assets/img/browsers/firefox.svg){ .twemoji } [Firefox (Desktop)](https://firefox.com/)
- ![Bromite logo](/assets/img/browsers/bromite.svg){ .twemoji } [Bromite (Android)](https://www.bromite.org/)
- ![Safari logo](/assets/img/browsers/safari.svg){ .twemoji } [Safari (iOS)](https://www.apple.com/safari/)
- ![Tor Browser logo](assets/img/browsers/tor.svg){ .twemoji } [Tor Browser](https://www.torproject.org/)
- ![Firefox logo](assets/img/browsers/firefox.svg){ .twemoji } [Firefox (Desktop)](https://firefox.com/)
- ![Bromite logo](assets/img/browsers/bromite.svg){ .twemoji } [Bromite (Android)](https://www.bromite.org/)
- ![Safari logo](assets/img/browsers/safari.svg){ .twemoji } [Safari (iOS)](https://www.apple.com/safari/)
</div>
@ -26,9 +26,9 @@ For your convenience, everything we recommend is listed below with a link to the
<div class="grid cards annotate" markdown>
- ![uBlock Origin logo](/assets/img/browsers/ublock_origin.svg){ .twemoji } [uBlock Origin](https://github.com/gorhill/uBlock)
- ![AdGuard logo](/assets/img/browsers/adguard.svg){ .twemoji } [AdGuard for Safari](https://adguard.com/en/adguard-safari/overview.html)
- ![ToS;DR logo](/assets/img/browsers/terms_of_service_didnt_read.svg){ .twemoji } [Terms of Service; Didn't Read](https://tosdr.org/) (1)
- ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ .twemoji } [uBlock Origin](https://github.com/gorhill/uBlock)
- ![AdGuard logo](assets/img/browsers/adguard.svg){ .twemoji } [AdGuard for Safari](https://adguard.com/en/adguard-safari/overview.html)
- ![ToS;DR logo](assets/img/browsers/terms_of_service_didnt_read.svg){ .twemoji } [Terms of Service; Didn't Read](https://tosdr.org/) (1)
</div>
@ -42,9 +42,9 @@ For your convenience, everything we recommend is listed below with a link to the
<div class="grid cards" markdown>
- ![GrapheneOS logo](/assets/img/android/grapheneos.svg#only-light){ .twemoji }![GrapheneOS logo](/assets/img/android/grapheneos-dark.svg#only-dark){ .twemoji } [GrapheneOS](https://grapheneos.org/)
- ![CalyxOS logo](/assets/img/android/calyxos.svg){ .twemoji } [CalyxOS](https://calyxos.org/)
- ![DivestOS logo](/assets/img/android/divestos.svg){ .twemoji } [DivestOS](https://divestos.org/)
- ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ .twemoji } [GrapheneOS](https://grapheneos.org/)
- ![CalyxOS logo](assets/img/android/calyxos.svg){ .twemoji } [CalyxOS](https://calyxos.org/)
- ![DivestOS logo](assets/img/android/divestos.svg){ .twemoji } [DivestOS](https://divestos.org/)
</div>
@ -52,13 +52,13 @@ For your convenience, everything we recommend is listed below with a link to the
<div class="grid cards" markdown>
- ![Droid-ify logo](/assets/img/android/droid-ify.png){ .twemoji } [Droid-ify (F-Droid Client)](https://github.com/Iamlooker/Droid-ify)
- ![Orbot logo](/assets/img/android/orbot.svg){ .twemoji } [Orbot (Tor Proxy)](https://orbot.app/)
- ![Shelter logo](/assets/img/android/shelter.svg){ .twemoji } [Shelter (Work Profiles)](https://gitea.angry.im/PeterCxy/Shelter)
- ![Auditor logo](/assets/img/android/auditor.svg#only-light){ .twemoji }![GrapheneOS logo](/assets/img/android/auditor-dark.svg#only-dark){ .twemoji } [Auditor (Supported Devices)](https://attestation.app/)
- ![Secure Camera logo](/assets/img/android/secure_camera.svg#only-light){ .twemoji }![Secure Camera logo](/assets/img/android/secure_camera-dark.svg#only-dark){ .twemoji } [Secure Camera](https://github.com/GrapheneOS/Camera)
- ![Secure PDF Viewer logo](/assets/img/android/secure_pdf_viewer.svg#only-light){ .twemoji }![GrapheneOS logo](/assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ .twemoji } [Secure PDF Viewer](https://github.com/GrapheneOS/PdfViewer)
- ![PrivacyBlur logo](/assets/img/android/privacyblur.svg){ .twemoji } [PrivacyBlur](https://privacyblur.app/)
- ![Droid-ify logo](assets/img/android/droid-ify.png){ .twemoji } [Droid-ify (F-Droid Client)](https://github.com/Iamlooker/Droid-ify)
- ![Orbot logo](assets/img/android/orbot.svg){ .twemoji } [Orbot (Tor Proxy)](https://orbot.app/)
- ![Shelter logo](assets/img/android/shelter.svg){ .twemoji } [Shelter (Work Profiles)](https://gitea.angry.im/PeterCxy/Shelter)
- ![Auditor logo](assets/img/android/auditor.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/auditor-dark.svg#only-dark){ .twemoji } [Auditor (Supported Devices)](https://attestation.app/)
- ![Secure Camera logo](assets/img/android/secure_camera.svg#only-light){ .twemoji }![Secure Camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ .twemoji } [Secure Camera](https://github.com/GrapheneOS/Camera)
- ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ .twemoji } [Secure PDF Viewer](https://github.com/GrapheneOS/PdfViewer)
- ![PrivacyBlur logo](assets/img/android/privacyblur.svg){ .twemoji } [PrivacyBlur](https://privacyblur.app/)
</div>
@ -68,14 +68,14 @@ For your convenience, everything we recommend is listed below with a link to the
<div class="grid cards annotate" markdown>
- ![Fedora logo](/assets/img/linux-desktop/fedora-workstation.svg){ .twemoji } [Fedora Workstation](https://getfedora.org/)
- ![openSUSE Tumbleweed logo](/assets/img/linux-desktop/opensuse-tumbleweed.svg){ .twemoji } [OpenSUSE Tumbleweed](https://get.opensuse.org/tumbleweed/)
- ![Arch logo](/assets/img/linux-desktop/archlinux.svg){ .twemoji } [Arch Linux](https://archlinux.org/)
- ![Fedora Silverblue logo](/assets/img/linux-desktop/fedora-silverblue.svg){ .twemoji } [Fedora Silverblue & Kinoite](https://silverblue.fedoraproject.org/)
- ![nixOS logo](/assets/img/linux-desktop/nixos.svg){ .twemoji } [NixOS](https://nixos.org/)
- ![Whonix logo](/assets/img/linux-desktop/whonix.svg){ .twemoji } [Whonix (Tor)](https://www.whonix.org/)
- ![Tails logo](/assets/img/linux-desktop/tails.svg){ .twemoji } [Tails (Live Boot)](https://tails.boum.org/)
- ![Qubes OS logo](/assets/img/qubes/qubes_os.svg){ .twemoji } [Qubes OS (Xen VM Distribution)](https://www.qubes-os.org/) (1)
- ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ .twemoji } [Fedora Workstation](https://getfedora.org/)
- ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ .twemoji } [OpenSUSE Tumbleweed](https://get.opensuse.org/tumbleweed/)
- ![Arch logo](assets/img/linux-desktop/archlinux.svg){ .twemoji } [Arch Linux](https://archlinux.org/)
- ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ .twemoji } [Fedora Silverblue & Kinoite](https://silverblue.fedoraproject.org/)
- ![nixOS logo](assets/img/linux-desktop/nixos.svg){ .twemoji } [NixOS](https://nixos.org/)
- ![Whonix logo](assets/img/linux-desktop/whonix.svg){ .twemoji } [Whonix (Tor)](https://www.whonix.org/)
- ![Tails logo](assets/img/linux-desktop/tails.svg){ .twemoji } [Tails (Live Boot)](https://tails.boum.org/)
- ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ .twemoji } [Qubes OS (Xen VM Distribution)](https://www.qubes-os.org/) (1)
</div>
@ -87,8 +87,8 @@ For your convenience, everything we recommend is listed below with a link to the
<div class="grid cards" markdown>
- ![OpenWrt logo](/assets/img/router/openwrt.svg#only-light){ .twemoji }![OpenWrt logo](/assets/img/router/openwrt-dark.svg#only-dark){ .twemoji } [OpenWrt](https://openwrt.org/)
- ![pfSense logo](/assets/img/router/pfsense.svg#only-light){ .twemoji }![pfSense logo](/assets/img/router/pfsense-dark.svg#only-dark){ .twemoji } [pfSense](https://www.pfsense.org/)
- ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ .twemoji }![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ .twemoji } [OpenWrt](https://openwrt.org/)
- ![pfSense logo](assets/img/router/pfsense.svg#only-light){ .twemoji }![pfSense logo](assets/img/router/pfsense-dark.svg#only-dark){ .twemoji } [pfSense](https://www.pfsense.org/)
</div>
@ -100,10 +100,10 @@ For your convenience, everything we recommend is listed below with a link to the
<div class="grid cards" markdown>
- ![Nextcloud logo](/assets/img/cloud/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](https://nextcloud.com/)
- ![Proton Drive logo](/assets/img/cloud/protondrive.svg){ .twemoji } [Proton Drive](https://drive.protonmail.com/)
- ![Cryptee logo](/assets/img/cloud/cryptee.svg#only-light){ .twemoji }![Cryptee logo](/assets/img/cloud/cryptee-dark.svg#only-dark){ .twemoji } [Cryptee](https://crypt.ee/)
- ![Tahoe-LAFS logo](/assets/img/cloud/tahoe-lafs.svg#only-light){ .twemoji }![Tahoe-LAFS logo](/assets/img/cloud/tahoe-lafs-dark.svg#only-dark){ .twemoji } [Tahoe-LAFS (Advanced)](https://www.tahoe-lafs.org/)
- ![Nextcloud logo](assets/img/cloud/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](https://nextcloud.com/)
- ![Proton Drive logo](assets/img/cloud/protondrive.svg){ .twemoji } [Proton Drive](https://drive.protonmail.com/)
- ![Cryptee logo](assets/img/cloud/cryptee.svg#only-light){ .twemoji }![Cryptee logo](assets/img/cloud/cryptee-dark.svg#only-dark){ .twemoji } [Cryptee](https://crypt.ee/)
- ![Tahoe-LAFS logo](assets/img/cloud/tahoe-lafs.svg#only-light){ .twemoji }![Tahoe-LAFS logo](assets/img/cloud/tahoe-lafs-dark.svg#only-dark){ .twemoji } [Tahoe-LAFS (Advanced)](https://www.tahoe-lafs.org/)
</div>
@ -117,12 +117,12 @@ We [recommend](dns.md#why-should-i-use-encrypted-dns) a number of encrypted DNS
<div class="grid cards" markdown>
- ![ProtonMail logo](/assets/img/email/mini/protonmail.svg){ .twemoji } [ProtonMail](https://protonmail.com/)
- ![Mailbox.org logo](/assets/img/email/mini/mailboxorg.svg){ .twemoji } [Mailbox.org](https://mailbox.org/)
- ![Disroot logo](/assets/img/email/mini/disroot.svg#only-light){ .twemoji }![Disroot logo](/assets/img/email/mini/disroot-dark.svg#only-dark){ .twemoji } [Disroot](https://disroot.org/)
- ![Tutanota logo](/assets/img/email/mini/tutanota.svg){ .twemoji } [Tutanota](https://tutanota.com/)
- ![StartMail logo](/assets/img/email/mini/startmail.svg#only-light){ .twemoji }![StartMail logo](/assets/img/email/mini/startmail-dark.svg#only-dark){ .twemoji } [StartMail](https://startmail.com/)
- ![CTemplar logo](/assets/img/email/mini/ctemplar.svg#only-light){ .twemoji }![CTemplar logo](/assets/img/email/mini/ctemplar-dark.svg#only-dark){ .twemoji } [CTemplar](https://ctemplar.com/)
- ![ProtonMail logo](assets/img/email/mini/protonmail.svg){ .twemoji } [ProtonMail](https://protonmail.com/)
- ![Mailbox.org logo](assets/img/email/mini/mailboxorg.svg){ .twemoji } [Mailbox.org](https://mailbox.org/)
- ![Disroot logo](assets/img/email/mini/disroot.svg#only-light){ .twemoji }![Disroot logo](assets/img/email/mini/disroot-dark.svg#only-dark){ .twemoji } [Disroot](https://disroot.org/)
- ![Tutanota logo](assets/img/email/mini/tutanota.svg){ .twemoji } [Tutanota](https://tutanota.com/)
- ![StartMail logo](assets/img/email/mini/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/mini/startmail-dark.svg#only-dark){ .twemoji } [StartMail](https://startmail.com/)
- ![CTemplar logo](assets/img/email/mini/ctemplar.svg#only-light){ .twemoji }![CTemplar logo](assets/img/email/mini/ctemplar-dark.svg#only-dark){ .twemoji } [CTemplar](https://ctemplar.com/)
</div>
@ -130,8 +130,8 @@ We [recommend](dns.md#why-should-i-use-encrypted-dns) a number of encrypted DNS
<div class="grid cards" markdown>
- ![AnonAddy logo](/assets/img/email/mini/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](/assets/img/email/mini/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](https://anonaddy.com/)
- ![SimpleLogin logo](/assets/img/email/mini/simplelogin.svg){ .twemoji } [SimpleLogin](https://simplelogin.io/)
- ![AnonAddy logo](assets/img/email/mini/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/mini/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](https://anonaddy.com/)
- ![SimpleLogin logo](assets/img/email/mini/simplelogin.svg){ .twemoji } [SimpleLogin](https://simplelogin.io/)
</div>
@ -139,8 +139,8 @@ We [recommend](dns.md#why-should-i-use-encrypted-dns) a number of encrypted DNS
<div class="grid cards" markdown>
- ![Mail-in-a-Box logo](/assets/img/email/mail-in-a-box.svg){ .twemoji } [Mail-in-a-Box](https://mailinabox.email/)
- ![mailcow logo](/assets/img/email/mailcow.svg){ .twemoji } [mailcow](https://mailcow.email/)
- ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ .twemoji } [Mail-in-a-Box](https://mailinabox.email/)
- ![mailcow logo](assets/img/email/mailcow.svg){ .twemoji } [mailcow](https://mailcow.email/)
</div>
@ -150,10 +150,10 @@ We [recommend](dns.md#why-should-i-use-encrypted-dns) a number of encrypted DNS
<div class="grid cards" markdown>
- ![DuckDuckGo logo](/assets/img/search-engines/duckduckgo.svg){ .twemoji } [DuckDuckGo](https://duckduckgo.com/)
- ![Startpage logo](/assets/img/search-engines/startpage.svg){ .twemoji } [Startpage](https://www.startpage.com/)
- ![Mojeek logo](/assets/img/search-engines//mini/mojeek.svg){ .twemoji } [Mojeek](https://www.mojeek.com/)
- ![Searx logo](/assets/img/search-engines/searx.svg){ .twemoji } [Searx](https://searx.me/)
- ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ .twemoji } [DuckDuckGo](https://duckduckgo.com/)
- ![Startpage logo](assets/img/search-engines/startpage.svg){ .twemoji } [Startpage](https://www.startpage.com/)
- ![Mojeek logo](assets/img/search-engines//mini/mojeek.svg){ .twemoji } [Mojeek](https://www.mojeek.com/)
- ![Searx logo](assets/img/search-engines/searx.svg){ .twemoji } [Searx](https://searx.me/)
</div>
@ -173,9 +173,9 @@ We [recommend](dns.md#why-should-i-use-encrypted-dns) a number of encrypted DNS
<div class="grid cards" markdown>
- ![Mullvad logo](/assets/img/vpn/mini/mullvad.svg){ .twemoji } [Mullvad](https://mullvad.net/)
- ![ProtonVPN logo](/assets/img/vpn/mini/protonvpn.svg){ .twemoji } [ProtonVPN](https://protonvpn.com/)
- ![IVPN logo](/assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](https://www.ivpn.net/)
- ![Mullvad logo](assets/img/vpn/mini/mullvad.svg){ .twemoji } [Mullvad](https://mullvad.net/)
- ![ProtonVPN logo](assets/img/vpn/mini/protonvpn.svg){ .twemoji } [ProtonVPN](https://protonvpn.com/)
- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](https://www.ivpn.net/)
</div>
@ -187,11 +187,11 @@ We [recommend](dns.md#why-should-i-use-encrypted-dns) a number of encrypted DNS
<div class="grid cards" markdown>
- ![Tutanota logo](/assets/img/calendar-contacts/tutanota.svg){ .twemoji } [Tutanota (SaaS)](https://tutanota.com/calendar)
- ![Proton Calendar logo](/assets/img/calendar-contacts/proton-calendar.svg){ .twemoji } [Proton Calendar (SaaS)](https://calendar.protonmail.com/)
- ![EteSync logo](/assets/img/calendar-contacts/etesync.svg){ .twemoji } [EteSync](https://www.etesync.com/)
- ![Tutanota logo](/assets/img/calendar-contacts/nextcloud.svg){ .twemoji } [Nextcloud](https://nextcloud.com/)
- ![DecSync CC logo](/assets/img/calendar-contacts/decsync.svg){ .twemoji } [DecSync](https://github.com/39aldo39/DecSync)
- ![Tutanota logo](assets/img/calendar-contacts/tutanota.svg){ .twemoji } [Tutanota (SaaS)](https://tutanota.com/calendar)
- ![Proton Calendar logo](assets/img/calendar-contacts/proton-calendar.svg){ .twemoji } [Proton Calendar (SaaS)](https://calendar.protonmail.com/)
- ![EteSync logo](assets/img/calendar-contacts/etesync.svg){ .twemoji } [EteSync](https://www.etesync.com/)
- ![Tutanota logo](assets/img/calendar-contacts/nextcloud.svg){ .twemoji } [Nextcloud](https://nextcloud.com/)
- ![DecSync CC logo](assets/img/calendar-contacts/decsync.svg){ .twemoji } [DecSync](https://github.com/39aldo39/DecSync)
</div>
@ -201,8 +201,8 @@ We [recommend](dns.md#why-should-i-use-encrypted-dns) a number of encrypted DNS
<div class="grid cards" markdown>
- ![Joplin logo](/assets/img/notebooks/joplin.svg){ .twemoji } [Joplin](https://joplinapp.org/)
- ![Standard Notes logo](/assets/img/notebooks/standard-notes.svg){ .twemoji } [Standard Notes](https://standardnotes.org/)
- ![Joplin logo](assets/img/notebooks/joplin.svg){ .twemoji } [Joplin](https://joplinapp.org/)
- ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ .twemoji } [Standard Notes](https://standardnotes.org/)
</div>
@ -212,15 +212,15 @@ We [recommend](dns.md#why-should-i-use-encrypted-dns) a number of encrypted DNS
<div class="grid cards" markdown>
- ![Thunderbird logo](/assets/img/email-clients/thunderbird.svg){ .twemoji } [Thunderbird](https://www.thunderbird.net/)
- ![Apple Mail logo](/assets/img/email-clients/applemail.png){ .twemoji } [Apple Mail](https://support.apple.com/guide/mail/welcome/mac)
- ![GNOME Evolution logo](/assets/img/email-clients/evolution.svg){ .twemoji } [GNOME Evolution (Linux)](https://wiki.gnome.org/Apps/Evolution)
- ![Kontact logo](/assets/img/email-clients/kontact.svg){ .twemoji } [Kontact (Linux)](https://kontact.kde.org/)
- ![Mailvelope logo](/assets/img/email-clients/mailvelope.svg){ .twemoji } [Mailvelope (PGP in standard webmail)](https://www.mailvelope.com/)
- ![K-9 Mail logo](/assets/img/email-clients/k9mail.svg){ .twemoji } [K-9 Mail (Android)](https://k9mail.app/)
- ![FairEmail logo](/assets/img/email-clients/fairemail.svg){ .twemoji } [FairEmail (Android)](https://email.faircode.eu/)
- ![Canary Mail logo](/assets/img/email-clients/canarymail.svg){ .twemoji } [Canary Mail (iOS)](https://canarymail.io/)
- ![NeoMutt logo](/assets/img/email-clients/mutt.svg){ .twemoji } [NeoMutt (CLI)](https://neomutt.org/)
- ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ .twemoji } [Thunderbird](https://www.thunderbird.net/)
- ![Apple Mail logo](assets/img/email-clients/applemail.png){ .twemoji } [Apple Mail](https://support.apple.com/guide/mail/welcome/mac)
- ![GNOME Evolution logo](assets/img/email-clients/evolution.svg){ .twemoji } [GNOME Evolution (Linux)](https://wiki.gnome.org/Apps/Evolution)
- ![Kontact logo](assets/img/email-clients/kontact.svg){ .twemoji } [Kontact (Linux)](https://kontact.kde.org/)
- ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ .twemoji } [Mailvelope (PGP in standard webmail)](https://www.mailvelope.com/)
- ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ .twemoji } [K-9 Mail (Android)](https://k9mail.app/)
- ![FairEmail logo](assets/img/email-clients/fairemail.svg){ .twemoji } [FairEmail (Android)](https://email.faircode.eu/)
- ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ .twemoji } [Canary Mail (iOS)](https://canarymail.io/)
- ![NeoMutt logo](assets/img/email-clients/mutt.svg){ .twemoji } [NeoMutt (CLI)](https://neomutt.org/)
</div>
@ -236,12 +236,12 @@ We [recommend](dns.md#why-should-i-use-encrypted-dns) a number of encrypted DNS
<div class="grid cards" markdown>
- ![VeraCrypt logo](/assets/img/encryption-software/veracrypt.svg#only-light){ .twemoji }![VeraCrypt logo](/assets/img/encryption-software/veracrypt-dark.svg#only-dark){ .twemoji } [VeraCrypt (FDE)](https://veracrypt.fr/)
- ![Cryptomator logo](/assets/img/encryption-software/cryptomator.svg){ .twemoji } [Cryptomator](https://cryptomator.org/)
- ![Picocrypt logo](/assets/img/encryption-software/picocrypt.svg){ .twemoji } [Picocrypt](https://evansu.cc/picocrypt)
- ![Hat.sh logo](/assets/img/encryption-software/hat-sh.png#only-light){ .twemoji }![Hat.sh logo](/assets/img/encryption-software/hat-sh-dark.png#only-dark){ .twemoji } [Hat.sh (Browser-based)](https://hat.sh/)
- ![Kryptor logo](/assets/img/encryption-software/kryptor.png){ .twemoji } [Kryptor](https://www.kryptor.co.uk/)
- ![Tomb logo](/assets/img/encryption-software/tomb.png){ .twemoji } [Tomb](https://www.dyne.org/software/tomb)
- ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ .twemoji }![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ .twemoji } [VeraCrypt (FDE)](https://veracrypt.fr/)
- ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ .twemoji } [Cryptomator](https://cryptomator.org/)
- ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ .twemoji } [Picocrypt](https://evansu.cc/picocrypt)
- ![Hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ .twemoji }![Hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ .twemoji } [Hat.sh (Browser-based)](https://hat.sh/)
- ![Kryptor logo](assets/img/encryption-software/kryptor.png){ .twemoji } [Kryptor](https://www.kryptor.co.uk/)
- ![Tomb logo](assets/img/encryption-software/tomb.png){ .twemoji } [Tomb](https://www.dyne.org/software/tomb)
</div>
@ -249,10 +249,10 @@ We [recommend](dns.md#why-should-i-use-encrypted-dns) a number of encrypted DNS
<div class="grid cards" markdown>
- ![GnuPG logo](/assets/img/encryption-software/gnupg.svg){ .twemoji } [GnuPG](https://gnupg.org)
- ![GPG4Win logo](/assets/img/encryption-software/gpg4win.svg){ .twemoji } [GPG4Win (Windows)](https://gpg4win.org)
- ![GPG Suite logo](/assets/img/encryption-software/gpgsuite.png){ .twemoji } [GPG Suite (macOS)](https://gpgtools.org)
- ![OpenKeychain logo](/assets/img/encryption-software/openkeychain.svg){ .twemoji } [OpenKeychain](https://www.openkeychain.org/)
- ![GnuPG logo](assets/img/encryption-software/gnupg.svg){ .twemoji } [GnuPG](https://gnupg.org)
- ![GPG4Win logo](assets/img/encryption-software/gpg4win.svg){ .twemoji } [GPG4Win (Windows)](https://gpg4win.org)
- ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ .twemoji } [GPG Suite (macOS)](https://gpgtools.org)
- ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ .twemoji } [OpenKeychain](https://www.openkeychain.org/)
</div>
@ -262,11 +262,11 @@ We [recommend](dns.md#why-should-i-use-encrypted-dns) a number of encrypted DNS
<div class="grid cards" markdown>
- ![OnionShare logo](/assets/img/file-sharing-sync/onionshare.svg){ .twemoji } [OnionShare](https://onionshare.org/)
- ![Magic Wormhole logo](/assets/img/file-sharing-sync/magic_wormhole.png){ .twemoji } [Magic Wormhole](https://magic-wormhole.readthedocs.io/)
- ![FreedomBox logo](/assets/img/file-sharing-sync/freedombox.svg){ .twemoji } [FreedomBox](https://freedombox.org/)
- ![Syncthing logo](/assets/img/file-sharing-sync/syncthing.svg){ .twemoji } [Syncthing](https://syncthing.net/)
- ![git-annex logo](/assets/img/file-sharing-sync/gitannex.svg){ .twemoji } [git-annex](https://git-annex.branchable.com/)
- ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ .twemoji } [OnionShare](https://onionshare.org/)
- ![Magic Wormhole logo](assets/img/file-sharing-sync/magic_wormhole.png){ .twemoji } [Magic Wormhole](https://magic-wormhole.readthedocs.io/)
- ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ .twemoji } [FreedomBox](https://freedombox.org/)
- ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ .twemoji } [Syncthing](https://syncthing.net/)
- ![git-annex logo](assets/img/file-sharing-sync/gitannex.svg){ .twemoji } [git-annex](https://git-annex.branchable.com/)
</div>
@ -276,12 +276,12 @@ We [recommend](dns.md#why-should-i-use-encrypted-dns) a number of encrypted DNS
<div class="grid cards" markdown>
- ![MAT2 logo](/assets/img/metadata-removal/mat2.svg){ .twemoji } [MAT2](https://0xacab.org/jvoisin/mat2)
- ![ExifCleaner logo](/assets/img/metadata-removal/exifcleaner.svg){ .twemoji } [ExifCleaner](https://exifcleaner.com/)
- ![Scrambled Exif logo](/assets/img/metadata-removal/scrambled-exif.svg){ .twemoji } [Scrambled Exif (Android)](https://gitlab.com/juanitobananas/scrambled-exif)
- ![Imagepipe logo](/assets/img/metadata-removal/imagepipe.svg){ .twemoji } [Imagepipe (Android)](https://codeberg.org/Starfish/Imagepipe)
- ![Metapho logo](/assets/img/metadata-removal/metapho.jpg){ .twemoji } [Metapho (iOS)](https://zininworks.com/metapho)
- ![ExifTool logo](/assets/img/metadata-removal/exiftool.png){ .twemoji } [ExifTool (CLI)](https://exiftool.org/)
- ![MAT2 logo](assets/img/metadata-removal/mat2.svg){ .twemoji } [MAT2](https://0xacab.org/jvoisin/mat2)
- ![ExifCleaner logo](assets/img/metadata-removal/exifcleaner.svg){ .twemoji } [ExifCleaner](https://exifcleaner.com/)
- ![Scrambled Exif logo](assets/img/metadata-removal/scrambled-exif.svg){ .twemoji } [Scrambled Exif (Android)](https://gitlab.com/juanitobananas/scrambled-exif)
- ![Imagepipe logo](assets/img/metadata-removal/imagepipe.svg){ .twemoji } [Imagepipe (Android)](https://codeberg.org/Starfish/Imagepipe)
- ![Metapho logo](assets/img/metadata-removal/metapho.jpg){ .twemoji } [Metapho (iOS)](https://zininworks.com/metapho)
- ![ExifTool logo](assets/img/metadata-removal/exiftool.png){ .twemoji } [ExifTool (CLI)](https://exiftool.org/)
</div>
@ -291,10 +291,10 @@ We [recommend](dns.md#why-should-i-use-encrypted-dns) a number of encrypted DNS
<div class="grid cards" markdown>
- ![YubiKeys](/assets/img/multi-factor-authentication/yubikey.png){ .twemoji } [YubiKey](https://www.yubico.com/)
- ![Nitrokey](/assets/img/multi-factor-authentication/nitrokey.jpg){ .twemoji } [Nitrokey](https://www.nitrokey.com/)
- ![Aegis logo](/assets/img/multi-factor-authentication/aegis.png){ .twemoji } [Aegis Authenticator](https://getaegis.app/)
- ![Raivo OTP logo](/assets/img/multi-factor-authentication/raivo-otp.png){ .twemoji } [Raivo OTP](https://github.com/raivo-otp/ios-application)
- ![YubiKeys](assets/img/multi-factor-authentication/yubikey.png){ .twemoji } [YubiKey](https://www.yubico.com/)
- ![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ .twemoji } [Nitrokey](https://www.nitrokey.com/)
- ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji } [Aegis Authenticator](https://getaegis.app/)
- ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ .twemoji } [Raivo OTP](https://github.com/raivo-otp/ios-application)
</div>
@ -304,12 +304,12 @@ We [recommend](dns.md#why-should-i-use-encrypted-dns) a number of encrypted DNS
<div class="grid cards" markdown>
- ![KeePassXC logo](/assets/img/password-management/keepassxc.svg){ .twemoji } [KeePassXC](https://keepassxc.org/)
- ![KeePassDX logo](/assets/img/password-management/keepassdx.svg){ .twemoji } [KeePassDX (Android)](https://www.keepassdx.com/)
- ![Bitwarden logo](/assets/img/password-management/bitwarden.svg){ .twemoji } [Bitwarden](https://bitwarden.com/)
- ![Psono logo](/assets/img/password-management/psono.svg){ .twemoji } [Psono](https://psono.com/)
- ![gopass logo](/assets/img/password-management/gopass.svg){ .twemoji } [gopass](https://www.gopass.pw/)
- ![Vaultwarden logo](/assets/img/password-management/vaultwarden.svg#only-light){ .twemoji }![Vaultwarden logo](/assets/img/password-management/vaultwarden-dark.svg#only-dark){ .twemoji } [Vaultwarden (Bitwarden Server)](https://github.com/dani-garcia/vaultwarden)
- ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ .twemoji } [KeePassXC](https://keepassxc.org/)
- ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ .twemoji } [KeePassDX (Android)](https://www.keepassdx.com/)
- ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ .twemoji } [Bitwarden](https://bitwarden.com/)
- ![Psono logo](assets/img/password-management/psono.svg){ .twemoji } [Psono](https://psono.com/)
- ![gopass logo](assets/img/password-management/gopass.svg){ .twemoji } [gopass](https://www.gopass.pw/)
- ![Vaultwarden logo](assets/img/password-management/vaultwarden.svg#only-light){ .twemoji }![Vaultwarden logo](assets/img/password-management/vaultwarden-dark.svg#only-dark){ .twemoji } [Vaultwarden (Bitwarden Server)](https://github.com/dani-garcia/vaultwarden)
</div>
@ -319,13 +319,13 @@ We [recommend](dns.md#why-should-i-use-encrypted-dns) a number of encrypted DNS
<div class="grid cards" markdown>
- ![LibreOffice logo](/assets/img/productivity/libreoffice.svg){ .twemoji } [LibreOffice](https://www.libreoffice.org/)
- ![OnlyOffice logo](/assets/img/productivity/onlyoffice.svg){ .twemoji } [OnlyOffice](https://www.onlyoffice.com/)
- ![Framadate logo](/assets/img/productivity/framadate.svg){ .twemoji } [Framadate (Appointment Planning)](https://framadate.org/)
- ![PrivateBin logo](/assets/img/productivity/privatebin.svg){ .twemoji } [PrivateBin (Pastebin)](https://privatebin.info/)
- ![CryptPad logo](/assets/img/productivity/cryptpad.svg){ .twemoji } [CryptPad](https://cryptpad.fr/)
- ![Write.as logo](/assets/img/productivity/writeas.svg#only-light){ .twemoji }![Write.as logo](/assets/img/productivity/writeas-dark.svg#only-dark){ .twemoji } [Write.as (Blogging Platform)](https://write.as/)
- ![VSCodium logo](/assets/img/productivity/vscodium.svg){ .twemoji } [VSCodium (Source-Code Editor)](https://vscodium.com/)
- ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ .twemoji } [LibreOffice](https://www.libreoffice.org/)
- ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ .twemoji } [OnlyOffice](https://www.onlyoffice.com/)
- ![Framadate logo](assets/img/productivity/framadate.svg){ .twemoji } [Framadate (Appointment Planning)](https://framadate.org/)
- ![PrivateBin logo](assets/img/productivity/privatebin.svg){ .twemoji } [PrivateBin (Pastebin)](https://privatebin.info/)
- ![CryptPad logo](assets/img/productivity/cryptpad.svg){ .twemoji } [CryptPad](https://cryptpad.fr/)
- ![Write.as logo](assets/img/productivity/writeas.svg#only-light){ .twemoji }![Write.as logo](assets/img/productivity/writeas-dark.svg#only-dark){ .twemoji } [Write.as (Blogging Platform)](https://write.as/)
- ![VSCodium logo](assets/img/productivity/vscodium.svg){ .twemoji } [VSCodium (Source-Code Editor)](https://vscodium.com/)
</div>
@ -335,10 +335,10 @@ We [recommend](dns.md#why-should-i-use-encrypted-dns) a number of encrypted DNS
<div class="grid cards" markdown>
- ![Signal logo](/assets/img/messengers/signal.svg){ .twemoji } [Signal](https://signal.org/)
- ![Element logo](/assets/img/messengers/element.svg){ .twemoji } [Element](https://element.io/)
- ![Briar logo](/assets/img/messengers/briar.svg){ .twemoji } [Briar (Android)](https://briarproject.org/)
- ![Session logo](/assets/img/messengers/session.svg){ .twemoji } [Session](https://getsession.org/)
- ![Signal logo](assets/img/messengers/signal.svg){ .twemoji } [Signal](https://signal.org/)
- ![Element logo](assets/img/messengers/element.svg){ .twemoji } [Element](https://element.io/)
- ![Briar logo](assets/img/messengers/briar.svg){ .twemoji } [Briar (Android)](https://briarproject.org/)
- ![Session logo](assets/img/messengers/session.svg){ .twemoji } [Session](https://getsession.org/)
</div>
@ -348,13 +348,13 @@ We [recommend](dns.md#why-should-i-use-encrypted-dns) a number of encrypted DNS
<div class="grid cards" markdown>
- ![Fluent Reader](/assets/img/news-aggregators/fluent-reader.svg){ .twemoji } [Fluent Reader](https://hyliu.me/fluent-reader)
- ![GNOME Feeds](/assets/img/news-aggregators/gfeeds.svg){ .twemoji } [GNOME Feeds](https://gfeeds.gabmus.org)
- ![Akregator](/assets/img/news-aggregators/akregator.svg){ .twemoji } [Akregator](https://apps.kde.org/akregator)
- ![Handy News Reader](/assets/img/news-aggregators/handy-news-reader.svg){ .twemoji } [Handy News Reader](https://github.com/yanus171/Handy-News-Reader)
- ![NetNewsWire](/assets/img/news-aggregators/netnewswire.png){ .twemoji } [NetNewsWire](https://netnewswire.com)
- ![Miniflux](/assets/img/news-aggregators/miniflux.svg#only-light){ .twemoji }![Miniflux logo](/assets/img/news-aggregators/miniflux-dark.svg#only-dark){ .twemoji } [Miniflux](https://miniflux.app)
- ![Newsboat](/assets/img/news-aggregators/newsboat.svg){ .twemoji } [Newsboat](https://newsboat.org/)
- ![Fluent Reader](assets/img/news-aggregators/fluent-reader.svg){ .twemoji } [Fluent Reader](https://hyliu.me/fluent-reader)
- ![GNOME Feeds](assets/img/news-aggregators/gfeeds.svg){ .twemoji } [GNOME Feeds](https://gfeeds.gabmus.org)
- ![Akregator](assets/img/news-aggregators/akregator.svg){ .twemoji } [Akregator](https://apps.kde.org/akregator)
- ![Handy News Reader](assets/img/news-aggregators/handy-news-reader.svg){ .twemoji } [Handy News Reader](https://github.com/yanus171/Handy-News-Reader)
- ![NetNewsWire](assets/img/news-aggregators/netnewswire.png){ .twemoji } [NetNewsWire](https://netnewswire.com)
- ![Miniflux](assets/img/news-aggregators/miniflux.svg#only-light){ .twemoji }![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ .twemoji } [Miniflux](https://miniflux.app)
- ![Newsboat](assets/img/news-aggregators/newsboat.svg){ .twemoji } [Newsboat](https://newsboat.org/)
</div>
@ -376,12 +376,12 @@ We [recommend](dns.md#why-should-i-use-encrypted-dns) a number of encrypted DNS
<div class="grid cards" markdown>
- ![FreeTube logo](/assets/img/video-streaming/freetube.svg){ .twemoji } [FreeTube (YouTube, Desktop)](https://freetubeapp.io/)
- ![LBRY logo](/assets/img/video-streaming/lbry.svg){ .twemoji } [LBRY](https://lbry.com/)
- ![NewPipe logo](/assets/img//video-streaming/newpipe.svg){ .twemoji } [NewPipe (YouTube, Android)](https://newpipe.net/)
- ![NewPipe x SponsorBlock logo](/assets/img/video-streaming/newpipe.svg){ .twemoji } [NewPipe x Sponsorblock](https://github.com/polymorphicshade/NewPipe)
- ![Invidious logo](/assets/img/video-streaming/invidious.svg#only-light){ .twemoji }![Invidious logo](/assets/img/video-streaming/invidious-dark.svg#only-dark){ .twemoji } [Invidious (YouTube, Web)](https://invidious.io/)
- ![Piped logo](/assets/img/video-streaming/piped.svg){ .twemoji } [Piped (YouTube, Web)](https://piped.kavin.rocks/)
- ![FreeTube logo](assets/img/video-streaming/freetube.svg){ .twemoji } [FreeTube (YouTube, Desktop)](https://freetubeapp.io/)
- ![LBRY logo](assets/img/video-streaming/lbry.svg){ .twemoji } [LBRY](https://lbry.com/)
- ![NewPipe logo](assets/img//video-streaming/newpipe.svg){ .twemoji } [NewPipe (YouTube, Android)](https://newpipe.net/)
- ![NewPipe x SponsorBlock logo](assets/img/video-streaming/newpipe.svg){ .twemoji } [NewPipe x Sponsorblock](https://github.com/polymorphicshade/NewPipe)
- ![Invidious logo](assets/img/video-streaming/invidious.svg#only-light){ .twemoji }![Invidious logo](assets/img/video-streaming/invidious-dark.svg#only-dark){ .twemoji } [Invidious (YouTube, Web)](https://invidious.io/)
- ![Piped logo](assets/img/video-streaming/piped.svg){ .twemoji } [Piped (YouTube, Web)](https://piped.kavin.rocks/)
</div>

View File

@ -2,7 +2,7 @@
title: "Video Streaming"
icon: material/video-wireless
---
The primary threat when using a video streaming platform is that your streaming habits and subscription lists could be used to profile you. You should combine these tools with a [VPN](/vpn) or [Tor](https://www.torproject.org/) to make it harder to profile your usage.
The primary threat when using a video streaming platform is that your streaming habits and subscription lists could be used to profile you. You should combine these tools with a [VPN](vpn.md) or [Tor](https://www.torproject.org/) to make it harder to profile your usage.
## Clients
@ -10,11 +10,11 @@ The primary threat when using a video streaming platform is that your streaming
!!! Warning
When using Freetube, your IP address is still known to YouTube, [Invidious](https://instances.invidious.io) and the SponsorBlock instances that you use. Consider using a [VPN](/vpn) or [Tor](https://www.torproject.org) if your [threat model](threat-modeling.md) requires hiding your IP address.
When using Freetube, your IP address is still known to YouTube, [Invidious](https://instances.invidious.io) and the SponsorBlock instances that you use. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](threat-modeling.md) requires hiding your IP address.
!!! recommendation
![FreeTube logo](/assets/img/video-streaming/freetube.svg){ align=right }
![FreeTube logo](assets/img/video-streaming/freetube.svg){ align=right }
**FreeTube** is a free and open source desktop application for [YouTube](https://youtube.com). When using FreeTube, your subscription list and playlists are saved locally on your device.
@ -37,7 +37,7 @@ The primary threat when using a video streaming platform is that your streaming
!!! recommendation
![LBRY logo](/assets/img/video-streaming/lbry.svg){ align=right }
![LBRY logo](assets/img/video-streaming/lbry.svg){ align=right }
**The LBRY network** is a decentralized video sharing network. It uses a [BitTorrent](https://wikipedia.org/wiki/BitTorrent)-like network to store the video content, and a [blockchain](https://wikipedia.org/wiki/Blockchain) to store the indexes for those videos. The main benefit of this design is censorship resistance.
@ -53,7 +53,7 @@ The primary threat when using a video streaming platform is that your streaming
!!! warning
While watching and hosting videos, your IP address is visible to the LBRY network. Consider using a [VPN](/vpn) or [Tor](https://www.torproject.org) if your [threat model](/threat-modeling) requires hiding your IP address.
While watching and hosting videos, your IP address is visible to the LBRY network. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](threat-modeling) requires hiding your IP address.
We recommend **against** synchronizing your wallet with LBRY Inc., as synchronizing encrypted wallets is not supported yet. If you synchronize your wallet with LBRY Inc., you have to trust them to not look at your subscription list, [LBC](https://lbry.com/faq/earn-credits) funds, or take control of your channel.
@ -63,7 +63,7 @@ You can disable *Save hosting data to help the LBRY network* option (⚙️ Set
!!! recommendation
![Newpipe logo](/assets/img//video-streaming/newpipe.svg){ align=right }
![Newpipe logo](assets/img//video-streaming/newpipe.svg){ align=right }
**NewPipe** is a free and open source Android application for [YouTube](https://youtube.com), [SoundCloud](https://soundcloud.com), [media.ccc.de](https://media.ccc.de), [FramaTube](https://framatube.org), and [Bandcamp](https://bandcamp.com).
@ -83,7 +83,7 @@ You can disable *Save hosting data to help the LBRY network* option (⚙️ Set
!!! recommendation
![NewPipe x SponsorBlock logo](/assets/img/video-streaming/newpipe.svg){ align=right }
![NewPipe x SponsorBlock logo](assets/img/video-streaming/newpipe.svg){ align=right }
**NewPipe x SponsorBlock** is a fork of [NewPipe](https://newpipe.net) with [SponsorBlock](https://sponsor.ajay.app) integrated to help you skip sponsored advertisements.
It also has some experimental settings such as the ability to use the built-in player for local playback, an option to force fullscreen on landscape mode, and an option to disable error reporting prompts.
@ -106,8 +106,8 @@ This fork is not endorsed by or affiliated with the upstream project. The NewPip
!!! recommendation
![Invidious logo](/assets/img/video-streaming/invidious.svg#only-light){ align=right }
![Invidious logo](/assets/img/video-streaming/invidious-dark.svg#only-dark){ align=right }
![Invidious logo](assets/img/video-streaming/invidious.svg#only-light){ align=right }
![Invidious logo](assets/img/video-streaming/invidious-dark.svg#only-dark){ align=right }
**Invidious** is a free and open source front end for YouTube that is also self-hostable. There are list of [public instances](https://instances.invidious.io). Some instances have [Tor](https://www.torproject.org) onion services support.
@ -129,7 +129,7 @@ When you are using an Invidious instance, be sure to go read the Privacy Policy
!!! recommendation
![Piped logo](/assets/img/video-streaming/piped.svg){ align=right }
![Piped logo](assets/img/video-streaming/piped.svg){ align=right }
**Piped** is a free and open source front end for YouTube that is also self-hostable. Alternative instances can be selected from "Preferences".

View File

@ -31,8 +31,8 @@ Find a no-logging VPN operator who isnt out to sell or read your web traffic.
!!! recommendation
![Mullvad logo](/assets/img/vpn/mullvad.svg#only-light){ align=right }
![Mullvad logo](/assets/img/vpn/mullvad-dark.svg#only-dark){ align=right }
![Mullvad logo](assets/img/vpn/mullvad.svg#only-light){ align=right }
![Mullvad logo](assets/img/vpn/mullvad-dark.svg#only-dark){ align=right }
**Mullvad** is a fast and inexpensive VPN with a serious focus on transparency and security. They have been in operation since **2009**. Mullvad is based in Sweden and does not have a free trial.
@ -92,7 +92,7 @@ Find a no-logging VPN operator who isnt out to sell or read your web traffic.
!!! recommendation
![ProtonVPN logo](/assets/img/vpn/protonvpn.svg){ align=right }
![ProtonVPN logo](assets/img/vpn/protonvpn.svg){ align=right }
**ProtonVPN** is a strong contender in the VPN space, and they have been in operation since 2016. ProtonVPN is based in Switzerland and offers a limited free pricing tier, as well as premium options. They offer a further 14% discount for buying a 2 year subscription.
@ -140,7 +140,7 @@ Find a no-logging VPN operator who isnt out to sell or read your web traffic.
!!! recommendation
![IVPN logo](/assets/img/vpn/ivpn.svg){ align=right }
![IVPN logo](assets/img/vpn/ivpn.svg){ align=right }
**IVPN** is another premium VPN provider, and they have been in operation since 2009. IVPN is based in Gibraltar.
@ -288,7 +288,7 @@ Must not have any marketing which is irresponsible:
Responsible marketing that is both educational and useful to the consumer could include:
- An accurate comparison to when Tor or other [self-contained networks](/self-contained-networks) should be used.
- An accurate comparison to when Tor or other [self-contained networks.md](self-contained-networks) should be used.
- Availability of the VPN provider's website over a .onion [Hidden Service](https://en.wikipedia.org/wiki/.onion)
### Additional Functionality
@ -346,7 +346,7 @@ For use cases like these, or if you have another compelling reason, the VPN prov
### Sources and Further Reading
1. [VPN - a Very Precarious Narrative](https://schub.io/blog/2019/04/08/very-precarious-narrative.html) by Dennis Schubert
2. [The self-contained networks](/self-contained-networks) recommended by Privacy Guides are able to replace a VPN that allows access to services on local area network
2. [The self-contained networks](self-contained-networks.md) recommended by Privacy Guides are able to replace a VPN that allows access to services on local area network
3. [Slicing Onions: Part 1 Myth-busting Tor](https://medium.com/privacyguides/slicing-onions-part-1-myth-busting-tor-9ec188ae1904) by blacklight447
4. [Slicing Onions: Part 2 Onion recipes; VPN not required](https://web.archive.org/web/20210116140725/https://write.privacytools.io/my-thoughts-on-security/slicing-onions-part-2-onion-recipes-vpn-not-required) by blacklight447
5. [IVPN Privacy Guides](https://www.ivpn.net/privacy-guides)