Markdown style consistency (#858)

Signed-off-by: Daniel Gray <dng@disroot.org>

.markdownlint.yml

@@ -0,0 +1,8 @@
+default: true
+line-length: false
+no-inline-html: false
+code-block-style: false
+no-hard-tabs:
+  spaces-per-tab: 4
+emphasis-style:
+  style: "asterisk"

docs/android.md

@@ -1,4 +1,5 @@
 ---
+title: "Android"
 icon: 'fontawesome/brands/android'
 ---
 Android is a secure operating system that has strong [app sandboxing](https://source.android.com/security/app-sandbox), [Verified Boot](https://source.android.com/security/verifiedboot), and a robust [permission](https://developer.android.com/guide/topics/permissions/overview) control system.
@@ -70,10 +71,13 @@ DivestOS 16.0, 17.1, and 18.1 implements GrapheneOS's [`INTERNET`](https://devel
     Not all of the supported devices have [verified boot](https://source.android.com/security/verifiedboot), and some perform it better than others.
 
 ## Android security and privacy features
+
 ### User Profiles
+
 Multiple user profiles (Settings → System → Multiple users) are the simplest way to isolate in Android. With user profiles you can limit a user from making calls, SMS or installing apps on the device. Each profile is encrypted using its own encryption key and cannot access the data of any other profiles. Even the device owner cannot view the data of other profiles without knowing their password. Multiple user profiles is a more secure method of isolation.
 
 ### Work Profile
+
 [Work Profiles](https://support.google.com/work/android/answer/6191949) are another way to isolate individual apps and may be more convenient than separate user profiles.
 
 A **device controller** such as [Shelter](#recommended-apps) is required, unless you're using CalyxOS which includes one.
@@ -83,6 +87,7 @@ The work profile is dependent on a device controller to function. Features such
 This method is generally less secure than a secondary user profile; however, it does allow you the convenience of running apps in both the work and personal profiles simultaneously.
 
 ### Verified Boot
+
 [Verified Boot](https://source.android.com/security/verifiedboot) is an important part of the Android security model. It provides protection against [evil maid](https://en.wikipedia.org/wiki/Evil_maid_attack) attacks, malware persistence, and ensures security updates cannot be downgraded with [rollback protection](https://source.android.com/security/verifiedboot/verified-boot#rollback-protection).
 
 Android 10 and above has moved away from full-disk encryption (FDE) to more flexible [file-based encryption](https://source.android.com/security/encryption/file-based).
@@ -92,9 +97,11 @@ Each user's data is encrypted using their own unique encryption key, and the ope
 Unfortunately, original equipment manufacturers (OEMs) are only obliged to support Verified Boot on their stock Android distribution. Only a few OEMs such as Google support custom Android Verified Boot (AVB) key enrollment on their devices. Some AOSP derivatives such as LineageOS or /e/ OS do not support Verified Boot even on hardware with Verified Boot support for third party operating systems. We recommend that you check for support **before** purchasing a new device. AOSP derivatives which do not support Verified Boot are **not** recommended.
 
 ### VPN Killswitch
+
 Android 7 and above supports a VPN killswitch and it is available without the need to install third party apps. This feature can prevent leaks if the VPN is disconnected. It can be found in ⚙️ Settings → Network & internet → VPN → ⚙️ → Block connections without VPN.
 
 ### Global Toggles
+
 Modern Android devices have global toggles for disabling [Bluetooth](https://en.wikipedia.org/wiki/Bluetooth) and location services. Android 12 introduced toggles for the camera and microphone. When not in use, we recommend disabling these features. Apps cannot use disabled features (even if granted individual permission) until re-enabled.
 
 ## Recommended Apps
@@ -125,7 +132,6 @@ For resistance against traffic analysis attacks, consider enabling *Isolate Dest
 
     All versions are signed using the same signature so they should be compatible with each other.
 
-
 ### Shelter
 
 !!! recommendation
@@ -152,7 +158,6 @@ For resistance against traffic analysis attacks, consider enabling *Isolate Dest
 
     When using Shelter, you are placing complete trust in its developer as Shelter would be acting as a [Device Admin](https://developer.android.com/guide/topics/admin/device-admin) for the work profile and has extensive access to the data stored within it.
 
-
 ### Auditor
 
 !!! recommendation
@@ -170,11 +175,11 @@ For resistance against traffic analysis attacks, consider enabling *Isolate Dest
 
 Auditor performs attestation and intrusion detection by:
 
- - Using a [Trust On First Use (TOFU)](https://en.wikipedia.org/wiki/Trust_on_first_use) model between an *auditor* and *auditee*, the pair establish a private key in the [hardware-backed keystore](https://source.android.com/security/keystore/) of the *Auditor*.
- - The *auditor* can either be another instance of the Auditor app or the [Remote Attestation Service](https://attestation.app).
- - The *auditor* records the current state and configuration of the *auditee*.
- - Should tampering with the operating system of the *auditee* after the pairing is complete, the auditor will be aware of the change in the device state and configurations.
- - The user will be alerted to the change.
+- Using a [Trust On First Use (TOFU)](https://en.wikipedia.org/wiki/Trust_on_first_use) model between an *auditor* and *auditee*, the pair establish a private key in the [hardware-backed keystore](https://source.android.com/security/keystore/) of the *Auditor*.
+- The *auditor* can either be another instance of the Auditor app or the [Remote Attestation Service](https://attestation.app).
+- The *auditor* records the current state and configuration of the *auditee*.
+- Should tampering with the operating system of the *auditee* after the pairing is complete, the auditor will be aware of the change in the device state and configurations.
+- The user will be alerted to the change.
 
 No personally identifiable information is submitted to the attestation service. We recommend that you sign up with an anonymous account and enable remote attestation for continuous monitoring.
 
@@ -244,9 +249,10 @@ Main privacy features include:
 
     You should **never** use blur to redact [text in images](https://bishopfox.com/blog/unredacter-tool-never-pixelation). If you want to redact text in an image, draw a box over the text. For this we suggest [Pocket Paint](https://github.com/Catrobat/Paintroid) or [Imagepipe](https://codeberg.org/Starfish/Imagepipe).
 
-
 ## General Recommendations
+
 ### Avoid Root
+
 [Rooting](https://en.wikipedia.org/wiki/Rooting_(Android)) Android phones can decrease security significantly as it weakens the complete [Android security model](https://en.wikipedia.org/wiki/Android_(operating_system)#Security_and_privacy). This can decrease privacy should there be an exploit that is assisted by the decreased security. Common rooting methods involve directly tampering with the boot partition, making it impossible to perform successful [Verified Boot](https://source.android.com/security/verifiedboot). Apps that require root will also modify the system partition meaning that Verified Boot would have to remain disabled. Having root exposed directly in the user interface also increases the [attack surface](https://en.wikipedia.org/wiki/Attack_surface) of your device and may assist in [privilege escalation](https://en.wikipedia.org/wiki/Privilege_escalation) vulnerabilities and [SELinux](https://en.wikipedia.org/wiki/Security-Enhanced_Linux) policy bypasses.
 
 Adblockers (AdAway) which modify the [hosts file](https://en.wikipedia.org/wiki/Hosts_(file)) and firewalls (AFWall+) which require root access persistently are dangerous and should not be used. They are also not the correct way to solve their intended purposes. For Adblocking we suggest encrypted [DNS](/dns) or [VPN](/providers/vpn/) server blocking solutions instead. RethinkDNS, TrackerControl and AdAway in non-root mode will take up the VPN slot (by using a local loopback VPN) preventing you from using privacy enhancing services such as Orbot or a real VPN server.
@@ -256,6 +262,7 @@ AFWall+ works based on the [packet filtering](https://en.wikipedia.org/wiki/Fire
 We do not believe that the security sacrifices made by rooting a phone are worth the questionable privacy benefits of those apps.
 
 ### Firmware Updates
+
 Firmware updates are critical for maintaining security and without them your device cannot be secure. Original equipment manufacturers (OEMs)—in other words, phone manufacturers—have support agreements with their partners to provide the closed source components for a limited support period. These are detailed in the monthly [Android Security Bulletins](https://source.android.com/security/bulletin).
 
 As the components of the phone such as the processor and radio technologies rely on closed source components, the updates must be provided by the respective manufacturers. Therefore it is important that you purchase a device within an active support cycle. [Qualcomm](https://www.qualcomm.com/news/releases/2020/12/16/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) and [Samsung](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox/) support their devices for 4 years while cheaper products often have shorter support. With the introduction of the [Pixel 6](https://support.google.com/pixelphone/answer/4457705), Google now makes their own system on chip (SoC) and they will provide 5 years of support.
@@ -263,46 +270,54 @@ As the components of the phone such as the processor and radio technologies rely
 Devices that have reached their end-of-life (EoL) and are no longer supported by the SoC manufacturer, cannot receive firmware updates from OEM vendors or after market Android distributors. This means that security issues with those devices will remain unfixed.
 
 ### Android Versions
+
 It's important to not use an [end-of-life](https://endoflife.date/android) version of Android. Newer versions of Android not only receive security updates for the operating system but also important privacy enhancing updates too. For example, [prior to Android 10](https://developer.android.com/about/versions/10/privacy/changes), any user apps with the [`READ_PHONE_STATE`](https://developer.android.com/reference/android/Manifest.permission#READ_PHONE_STATE) permission could access sensitive and unique serial numbers of your phone such as [IMEI](https://en.wikipedia.org/wiki/International_Mobile_Equipment_Identity), [MEID](https://en.wikipedia.org/wiki/Mobile_equipment_identifier), your SIM card's [IMSI](https://en.wikipedia.org/wiki/International_mobile_subscriber_identity), whereas now they must be system apps to do so. System apps are only provided by the OEM or Android distribution.
 
 ### Android Permissions
+
 [Permissions on Android](https://developer.android.com/guide/topics/permissions/overview) grant users control over what apps are allowed to access. Google regularly makes [improvements](https://developer.android.com/about/versions/11/privacy/permissions) on the permission system in each successive version. All user installed apps are strictly [sandboxed](https://source.android.com/security/app-sandbox), therefore there is no need to install any antivirus apps. The savings you make from not purchasing or subscribing to security apps is better spent on paying for a supported device in the future.
 
 Should you want to run an app that you're unsure about, consider using a user or work [profile](/android/#android-security-privacy).
 
 ### Advanced Protection Program
+
 If you have a Google account we suggest enrolling in the [Advanced Protection Program](https://landing.google.com/advancedprotection/). It is available at no cost to anyone with two or more hardware security keys with [U2F](https://en.wikipedia.org/wiki/Universal_2nd_Factor) support.
 
 The Advanced Protection Program provides enhanced threat monitoring and enables:
 
- - Stricter two factor authentication; e.g. that [U2F](https://en.wikipedia.org/wiki/Universal_2nd_Factor) or [FIDO2](https://en.wikipedia.org/wiki/WebAuthn) **must** be used and disallows the use of [SMS OTPs](https://en.wikipedia.org/wiki/One-time_password#SMS), [TOTP](https://en.wikipedia.org/wiki/Time-based_one-time_password), and [OAuth](https://en.wikipedia.org/wiki/OAuth)
- - Only Google and verified third party apps can access account data
- - Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts
- - Stricter [safe browser scanning](https://www.google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome
- - Stricter recovery process for accounts with lost credentials
+- Stricter two factor authentication; e.g. that [U2F](https://en.wikipedia.org/wiki/Universal_2nd_Factor) or [FIDO2](https://en.wikipedia.org/wiki/WebAuthn) **must** be used and disallows the use of [SMS OTPs](https://en.wikipedia.org/wiki/One-time_password#SMS), [TOTP](https://en.wikipedia.org/wiki/Time-based_one-time_password), and [OAuth](https://en.wikipedia.org/wiki/OAuth)
+- Only Google and verified third party apps can access account data
+- Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts
+- Stricter [safe browser scanning](https://www.google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome
+- Stricter recovery process for accounts with lost credentials
 
  For users that are using the privileged Google Play Services (common on stock operating systems), the Advanced Protection Program also comes with [additional benefits](https://support.google.com/accounts/answer/9764949?hl=en) such as:
- - Not allowing app installation outside of the Google Play Store, the OS vendor's app store, or via [`adb`](https://en.wikipedia.org/wiki/Android_Debug_Bridge)
- - Mandatory automatic device scanning with [Play Protect](https://support.google.com/googleplay/answer/2812853?hl=en#zippy=%2Chow-malware-protection-works%2Chow-privacy-alerts-work)
- - Warning the user about unverified applications
+
+- Not allowing app installation outside of the Google Play Store, the OS vendor's app store, or via [`adb`](https://en.wikipedia.org/wiki/Android_Debug_Bridge)
+- Mandatory automatic device scanning with [Play Protect](https://support.google.com/googleplay/answer/2812853?hl=en#zippy=%2Chow-malware-protection-works%2Chow-privacy-alerts-work)
+- Warning the user about unverified applications
 
 ### SafetyNet and Play Integrity API
+
 [SafetyNet](https://developer.android.com/training/safetynet/attestation) and the [Play Integrity APIs](https://developer.android.com/google/play/integrity) are generally used for [banking apps](https://grapheneos.org/usage#banking-apps). Many banking apps will work fine in GrapheneOS with sandboxed Play services, however some non-financal apps have their own crude anti-tampering mechanisms which might fail. GrapheneOS passes the `basicIntegrity` check, but not the certification check `ctsProfileMatch`. Devices with Android 8 or later have hardware attestation support which cannot be bypassed without leaked keys or serious vulnerabilities.
 
 As for Google Wallet, we don't recommend this due to their [privacy policy](https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=en), which states you must opt-out if you don't want your credit rating and personal information shared with affiliate marketing services.
 
 ### Advertising ID
+
 All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248?hl=en) used for targeted advertising. Disable this feature to limit the data collected about you.
 
 On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to ⚙️ Settings → Apps → Sandboxed Google Play → Google Settings → Ads and select **Delete advertising ID**.
 
 On Android distributions with privileged Google Play Services (such as stock OSes), the setting may be in one of several locations. Check
- - ⚙️ Settings → Google → Ads
- - ⚙️ Settings → Privacy → Ads
+
+- ⚙️ Settings → Google → Ads
+- ⚙️ Settings → Privacy → Ads
 
 Depending on your system, you will either be given the option to delete your advertising ID or to "Opt out of interest-based ads". You should delete the advertising ID if you are given the option to, and if you are not, we recommend that you opt out of interested-based ads and then reset your advertising ID.
 
 ### Android Device Shopping
+
 Google Pixels are known to have good security and properly support [Verified Boot](https://source.android.com/security/verifiedboot). Some other phones such as the Fairphone and OnePlus devices also support custom Android Verified Boot (AVB) key enrollment. However, there have been issues with their older models. In the past they were using [test keys](https://social.coop/@dazinism/105346943304083054) or not doing proper verification, making Verified Boot on those devices useless.
 
 Avoid buying phones from mobile network operators. These often have a **locked bootloader** and do not support [OEM unlocking](https://source.android.com/devices/bootloader/locking_unlocking). These phone variants will prevent you from installing any kind of alternative Android distribution. Phones that cannot be unlocked will often have an [IMEI](https://en.wikipedia.org/wiki/International_Mobile_Equipment_Identity) starting with "35", that includes phones from purchased from Verizon, Telus, Rogers, EE, etc.
@@ -310,22 +325,25 @@ Avoid buying phones from mobile network operators. These often have a **locked b
 Be very **careful** about buying second hand phones from online marketplaces. Always check the reputation of the seller. If the device is stolen there's a possibility of [IMEI blacklisting](https://www.gsma.com/security/resources/imei-blacklisting/). There is also a risk involved with you being associated with the activity of the previous owner.
 
 We have these general tips:
- - If you're after a bargain on a Pixel device, we suggest buying an "**a**" model, just after the next flagship is released. Discounts are usually available because Google will be trying to clear their stock.
- - Consider price beating options and specials offered at [brick and mortar](https://en.wikipedia.org/wiki/Brick_and_mortar) stores.
- - Look at online community bargain sites in your country. These can alert you to good sales.
- - The price per day for a device can be calculated as  $\text {EoL Date}-\text{Current Date} \over \text{Cost}$. Google provides a [list](https://support.google.com/nexus/answer/4457705) of their supported devices.
- - Do not buy devices that have reached or are near their end-of-life, additional firmware updates must be provided by the manufacturer.
- - Do not buy preloaded LineageOS or /e/ OS phones or any Android phones without proper [Verified Boot](https://source.android.com/security/verifiedboot) support and firmware updates. These devices also have no way for you to check whether they've been tampered with.
- - In short, if a device or Android distribution is not listed here, there is probably a good reason, so check our [discussions](https://github.com/privacyguides/privacyguides.org/discussions) page.
+
+- If you're after a bargain on a Pixel device, we suggest buying an "**a**" model, just after the next flagship is released. Discounts are usually available because Google will be trying to clear their stock.
+- Consider price beating options and specials offered at [brick and mortar](https://en.wikipedia.org/wiki/Brick_and_mortar) stores.
+- Look at online community bargain sites in your country. These can alert you to good sales.
+- The price per day for a device can be calculated as  $\text {EoL Date}-\text{Current Date} \over \text{Cost}$. Google provides a [list](https://support.google.com/nexus/answer/4457705) of their supported devices.
+- Do not buy devices that have reached or are near their end-of-life, additional firmware updates must be provided by the manufacturer.
+- Do not buy preloaded LineageOS or /e/ OS phones or any Android phones without proper [Verified Boot](https://source.android.com/security/verifiedboot) support and firmware updates. These devices also have no way for you to check whether they've been tampered with.
+- In short, if a device or Android distribution is not listed here, there is probably a good reason, so check our [discussions](https://github.com/privacyguides/privacyguides.org/discussions) page.
 
 The installation of GrapheneOS on a Pixel phone is easy with their [web installer](https://grapheneos.org/install/web). If you don't feel comfortable doing it yourself and are willing to spend a bit of extra money, check out the [NitroPhone](https://shop.nitrokey.com/shop) as they come preloaded with GrapheneOS from the reputable [Nitrokey](https://www.nitrokey.com/about) company. The GrapheneOS project is not currently affiliated with any vendor and cannot ensure the quality or security of their products.
 
 A [CalyxOS membership](https://calyxinstitute.org/membership/calyxos) also entitles you to a device preloaded with CalyxOS.
 
 ## GrapheneOS's App Store
+
 GrapheneOS's app store is available on [GitHub](https://github.com/GrapheneOS/Apps/releases). It supports Android 12 and above and is capable of updating itself. The app store has standalone applications built by the GrapheneOS project such as the [Auditor](https://attestation.app/), [Camera](https://github.com/GrapheneOS/Camera), and [PDF Viewer](https://github.com/GrapheneOS/PdfViewer). If you are looking for these applications, we highly recommend that you get them from GrapheneOS's app store instead of the Play Store, as the apps on their store are signed by the GrapheneOS's project own signature that Google does not have access to.
 
 ## F-Droid
+
 F-Droid is often recommended as an alternative to Google Play, particularly in the privacy community. The option to add third party repositories and not be confined to Google's [walled garden](https://en.wikipedia.org/wiki/Closed_platform) has led to its popularity. F-Droid additionally has [reproducible builds](https://f-droid.org/en/docs/Reproducible_Builds/) for some applications, and is dedicated to free and open source software. However, there are problems with the official F-Droid client, their quality control, and how they build, sign and deliver packages, outlined in this [post](https://wonderfall.dev/fdroid-issues/).
 
 ### Droid-ify
@@ -347,32 +365,37 @@ To mitigate these problems, we recommend [Droid-ify](https://github.com/Iamlooke
     - [:fontawesome-brands-github: GitHub](https://github.com/Iamlooker/Droid-ify)
 
 ### Where to get your applications
+
 Sometimes the official F-Droid repository may fall behind on updates. F-Droid maintainers reuse package IDs while signing apps with their own keys, which is not ideal as it does give the F-Droid team ultimate trust. The Google Play version of some apps may contain unwanted telemetry or lack features that are available in the F-Droid version. The Google Play Store requires a Google account to login which is not great for privacy. The [Aurora Store](https://auroraoss.com/download/AuroraStore/) (a Google Play Store proxy) does not always work, though it does most of the time.
 
 We have these general tips:
 
- - Check if the app developers have their own F-Droid repository first, e.g. [Bitwarden](https://bitwarden.com/), [Samourai Wallet](https://www.samouraiwallet.com/), or [Newpipe](https://newpipe.net/), which have their own repositories with less telemetry, additional features or faster updates. This is the ideal situation and you should be using these repositories if possible.
- - Check if an app is available on the [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) repository. The IzzyOnDroid repository pulls builds directly from GitHub and is the next best thing to the developers' own repositories. We recommend that you download the GitHub builds and install them manually first, then use IzzyOnDroid for any subsequent updates. This will ensure that the signature of the applications you get from IzzyOnDroid matches that of the developer and the packages have not been tampered with.
- - Check if there are any differences between the F-Droid version and the Google Play Store version. Some applications like [IVPN](https://www.ivpn.net/) do not include certain features (eg [AntiTracker](https://www.ivpn.net/knowledgebase/general/antitracker-faq/)) in their Google Play Store build out of fear of censorship by Google.
+- Check if the app developers have their own F-Droid repository first, e.g. [Bitwarden](https://bitwarden.com/), [Samourai Wallet](https://www.samouraiwallet.com/), or [Newpipe](https://newpipe.net/), which have their own repositories with less telemetry, additional features or faster updates. This is the ideal situation and you should be using these repositories if possible.
+- Check if an app is available on the [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) repository. The IzzyOnDroid repository pulls builds directly from GitHub and is the next best thing to the developers' own repositories. We recommend that you download the GitHub builds and install them manually first, then use IzzyOnDroid for any subsequent updates. This will ensure that the signature of the applications you get from IzzyOnDroid matches that of the developer and the packages have not been tampered with.
+- Check if there are any differences between the F-Droid version and the Google Play Store version. Some applications like [IVPN](https://www.ivpn.net/) do not include certain features (eg [AntiTracker](https://www.ivpn.net/knowledgebase/general/antitracker-faq/)) in their Google Play Store build out of fear of censorship by Google.
 
 Evaluate whether the additional features in the F-Droid build are worth the slower updates. Also think about whether faster updates from the Google Play Store are worth the potential privacy isues in your [threat model](/threat-modeling/).
 
 ## Security comparison of GrapheneOS and CalyxOS
+
 ### Profiles
+
 CalyxOS includes a device controller app so there is no need to install a third party app like [Shelter](/android/#recommended-apps). GrapheneOS plans to introduce nested profile support with better isolation in the future.
 
 GrapheneOS extends the [user profile](/android/#android-security-privacy) feature allowing a user to press an "End Session" button. This button clears the encryption key from memory. There are plans to add a [cross profile notifications system](https://github.com/GrapheneOS/os-issue-tracker/issues/88) in the future.
 
 ### Sandboxed Google Play vs Privileged MicroG
+
 When Google Play services are used on GrapheneOS, they run as a user app and are contained within a user or work profile.
 
 Sandboxed Google Play is confined using the highly restrictive, default [`untrusted_app`](https://source.android.com/security/selinux/concepts) domain provided by [SELinux](https://en.wikipedia.org/wiki/Security-Enhanced_Linux). Permissions for apps to use Google Play Services can be revoked at any time by the user.
 
-MicroG is a reimplementation of Google Play Services. This means it needs to be updated every time Android has a major version update (or the Android API changes). It also needs to run in the highly privileged [`system_app`](https://source.android.com/security/selinux/concepts) SELinux domain like normal Google Play Services and requires access to [signature spoofing](https://madaidans-insecurities.github.io/android.html#microg-signature-spoofing) so this is less secure than the Sandboxed Google Play approach. We do not believe MicroG provides any privacy advantages over Sandboxed Google Play except for the option to _shift trust_ of the location backend from Google to another provider such as Mozilla or DejaVu.
+MicroG is a reimplementation of Google Play Services. This means it needs to be updated every time Android has a major version update (or the Android API changes). It also needs to run in the highly privileged [`system_app`](https://source.android.com/security/selinux/concepts) SELinux domain like normal Google Play Services and requires access to [signature spoofing](https://madaidans-insecurities.github.io/android.html#microg-signature-spoofing) so this is less secure than the Sandboxed Google Play approach. We do not believe MicroG provides any privacy advantages over Sandboxed Google Play except for the option to *shift trust* of the location backend from Google to another provider such as Mozilla or DejaVu.
 
 From a usability point of view, Sandboxed Google Play also works well with far more applications than MicroG, thanks to its support for services like [Google Play Games](https://play.google.com/googleplaygames) and [In-app Billing API](https://android-doc.github.io/google/play/billing/api.html).
 
 ### Privileged App Extensions
+
 Android 12 comes with special support for seamless app updates with [third party app stores](https://android-developers.googleblog.com/2020/09/listening-to-developer-feedback-to.html). The popular Free and Open Source Software (FOSS) repository [F-Droid](https://f-droid.org) doesn't implement this feature and requires a [privileged extension](https://f-droid.org/en/packages/org.fdroid.fdroid.privileged) to be included with the Android distribution in order to have unattended app installation.
 
 GrapheneOS doesn't compromise on security; therefore, they do not include the F-Droid extension. Users have to confirm all updates manually if they want to use F-Droid. Alternatively, they can use the Droid-ify client which does support seamless app updates in Android 12. GrapheneOS officially recommends [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play) instead. Many FOSS Android apps are also in Google Play but sometimes they are not (like [NewPipe](/video-streaming)).
@@ -380,11 +403,12 @@ GrapheneOS doesn't compromise on security; therefore, they do not include the F-
 CalyxOS includes the [privileged extension](https://f-droid.org/en/packages/org.fdroid.fdroid.privileged), which may lower device security. Seamless app updates should be possible with [Aurora Store](https://auroraoss.com) in Android 12.
 
 ### Additional hardening
+
 GrapheneOS improves upon [AOSP](https://source.android.com/) security with:
 
- -   **Hardened WebView:** Vanadium WebView requires [64-bit](https://en.wikipedia.org/wiki/64-bit_computing) processes on the [WebView](https://developer.android.com/reference/android/webkit/WebView) process and disables legacy [32-bit](https://en.wikipedia.org/wiki/32-bit_computing) processes. It uses hardened compiler options such as [`-fwrapv`](https://gcc.gnu.org/onlinedocs/gcc/Code-Gen-Options.html) and [`-fstack-protector-strong`](https://gcc.gnu.org/onlinedocs/gcc-4.9.3/gcc/Optimize-Options.html), which can help protect against [stack buffer overflows](https://en.wikipedia.org/wiki/Stack_buffer_overflow). [API](https://en.wikipedia.org/wiki/API)s such as the [battery status API](https://chromestatus.com/feature/4537134732017664) are disabled for privacy reasons. All system apps on GrapheneOS use the Vanadium WebView which means user installed apps that use WebView will also benefit from Vanadium's hardening. The [Vanadium patch set](https://github.com/GrapheneOS/Vanadium/tree/12/patches) is a lot more comprehensive than CalyxOS's [Chromium patch set](https://gitlab.com/CalyxOS/chromium-patches) which is derived from it.
- -   **Hardened Kernel:** GrapheneOS kernel includes some hardening from the [linux-hardened](https://github.com/GrapheneOS/linux-hardened) project and the [Kernel Self Protection Project (KSPP)](https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project). CalyxOS uses the [same kernel](https://calyxos.org/docs/development/build/kernel/) as regular Android with some minor modifications.
- -   **Hardened Memory Allocator:** GrapheneOS uses the [hardened malloc](https://github.com/GrapheneOS/hardened_malloc) subproject as its memory allocator. This focuses on hardening against [memory heap corruption](https://en.wikipedia.org/wiki/Memory_corruption). CalyxOS uses the default AOSP [Scudo Malloc](https://source.android.com/devices/tech/debug/scudo), which is generally [less effective](https://twitter.com/danielmicay/status/1033671709197398016). Hardened Malloc has uncovered vulnerabilities in AOSP which have been [fixed](https://github.com/GrapheneOS/platform_system_core/commit/be11b59725aa6118b0e1f0712572e835c3d50746) by GrapheneOS such as [CVE-2021-0703](https://nvd.nist.gov/vuln/detail/CVE-2021-0703).
- -   **Secure Exec Spawning:** GrapheneOS [spawns](https://en.wikipedia.org/wiki/Spawn_(computing)) fresh processes as opposed to using the [Zygote model](https://ayusch.com/android-internals-the-android-os-boot-process) used by AOSP and CalyxOS. The Zygote model weakens [Address Space Layout Randomization](https://en.wikipedia.org/wiki/Address_space_layout_randomization) (ASLR) and is considered [less secure](https://wenke.gtisc.gatech.edu/papers/morula.pdf). Creating [fresh processes](https://grapheneos.org/usage#exec-spawning) is safer but will have some performance penalty when launching a new application. These penalties are not really noticeable unless you have an [old device](https://support.google.com/nexus/answer/4457705) with slow storage such as the Pixel 3a/3a XL as it has [eMMC](https://en.wikipedia.org/wiki/MultiMediaCard#eMMC).
+- **Hardened WebView:** Vanadium WebView requires [64-bit](https://en.wikipedia.org/wiki/64-bit_computing) processes on the [WebView](https://developer.android.com/reference/android/webkit/WebView) process and disables legacy [32-bit](https://en.wikipedia.org/wiki/32-bit_computing) processes. It uses hardened compiler options such as [`-fwrapv`](https://gcc.gnu.org/onlinedocs/gcc/Code-Gen-Options.html) and [`-fstack-protector-strong`](https://gcc.gnu.org/onlinedocs/gcc-4.9.3/gcc/Optimize-Options.html), which can help protect against [stack buffer overflows](https://en.wikipedia.org/wiki/Stack_buffer_overflow). [API](https://en.wikipedia.org/wiki/API)s such as the [battery status API](https://chromestatus.com/feature/4537134732017664) are disabled for privacy reasons. All system apps on GrapheneOS use the Vanadium WebView which means user installed apps that use WebView will also benefit from Vanadium's hardening. The [Vanadium patch set](https://github.com/GrapheneOS/Vanadium/tree/12/patches) is a lot more comprehensive than CalyxOS's [Chromium patch set](https://gitlab.com/CalyxOS/chromium-patches) which is derived from it.
+- **Hardened Kernel:** GrapheneOS kernel includes some hardening from the [linux-hardened](https://github.com/GrapheneOS/linux-hardened) project and the [Kernel Self Protection Project (KSPP)](https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project). CalyxOS uses the [same kernel](https://calyxos.org/docs/development/build/kernel/) as regular Android with some minor modifications.
+- **Hardened Memory Allocator:** GrapheneOS uses the [hardened malloc](https://github.com/GrapheneOS/hardened_malloc) subproject as its memory allocator. This focuses on hardening against [memory heap corruption](https://en.wikipedia.org/wiki/Memory_corruption). CalyxOS uses the default AOSP [Scudo Malloc](https://source.android.com/devices/tech/debug/scudo), which is generally [less effective](https://twitter.com/danielmicay/status/1033671709197398016). Hardened Malloc has uncovered vulnerabilities in AOSP which have been [fixed](https://github.com/GrapheneOS/platform_system_core/commit/be11b59725aa6118b0e1f0712572e835c3d50746) by GrapheneOS such as [CVE-2021-0703](https://nvd.nist.gov/vuln/detail/CVE-2021-0703).
+- **Secure Exec Spawning:** GrapheneOS [spawns](https://en.wikipedia.org/wiki/Spawn_(computing)) fresh processes as opposed to using the [Zygote model](https://ayusch.com/android-internals-the-android-os-boot-process) used by AOSP and CalyxOS. The Zygote model weakens [Address Space Layout Randomization](https://en.wikipedia.org/wiki/Address_space_layout_randomization) (ASLR) and is considered [less secure](https://wenke.gtisc.gatech.edu/papers/morula.pdf). Creating [fresh processes](https://grapheneos.org/usage#exec-spawning) is safer but will have some performance penalty when launching a new application. These penalties are not really noticeable unless you have an [old device](https://support.google.com/nexus/answer/4457705) with slow storage such as the Pixel 3a/3a XL as it has [eMMC](https://en.wikipedia.org/wiki/MultiMediaCard#eMMC).
 
 **Please note that these are just a few examples and are not an extensive list of GrapheneOS's hardening**. For a more complete list, please read GrapheneOS' [official documentation](https://grapheneos.org/features).

docs/blog/2019/08/22/self-hosting-shadowsocks-vpn-outline.md

@@ -16,9 +16,11 @@ Please note that **like any VPN**, Outline/Shadowsocks cannot provide nearly the
 Outline is developed by Jigsaw, which is a subsidiary of Alphabet Inc (Google). It is important to note that neither Jigsaw nor Google can see your internet traffic when using Outline, because you will be installing the actual Outline Server on your own machine, not Google’s. Outline is completely open source and was audited in [2017](https://s3.amazonaws.com/outline-vpn/static_downloads/ros-report.pdf) by Radically Open Security and in [2018](https://s3.amazonaws.com/outline-vpn/static_downloads/cure53-report.pdf) by Cure53, and both security firms supported Jigsaw’s security claims. For more information on the data Jigsaw is able to collect when using Outline, see their [article on data collection](https://support.getoutline.org/s/article/Data-collection).
 
 ### Prerequisites
+
 All you will need to complete this guide is a computer running Windows, macOS, or Linux. You will also need to know some basic commands: [How to SSH](https://www.howtogeek.com/311287/how-to-connect-to-an-ssh-server-from-windows-macos-or-linux/) in to a server you purchase. We will also assume you know how to purchase and set up a Linux server with SSH access, more info in Step 2.
 
 ### Step 1 — Download & Install Outline Manager
+
 Outline allows you to setup and configure your servers from an easy-to-use management console called Outline Manager, which can be downloaded from [getoutline.org](https://getoutline.org). It has binaries available for Windows, macOS, and Linux.
 
 Simply download and install the Outline Manager application to your computer.
@@ -28,6 +30,7 @@ Simply download and install the Outline Manager application to your computer.
 Note: getoutline.org is blocked in China and likely other countries, however you can download the releases directly from [their GitHub page](https://github.com/Jigsaw-Code/outline-server/releases) as well.
 
 ### Step 2 — Choose a Server Provider
+
 Outline has the ability to create servers on three different providers automatically: DigitalOcean, Google Cloud, and Amazon Web Services. In some situations, Google Cloud or AWS may be preferable, because they are less likely to be blocked by hostile ISPs/governments and will therefore allow you to more likely circumvent internet censorship. However, keep in mind that the server provider you choose—like any VPN provider—will have the technical ability to read your internet traffic. This is much less likely to happen when using a cloud provider versus a commercial VPN, which is why we recommend self-hosting, but it is still possible. Choose a provider you trust.
 
 Additionally, keep in mind that many US-based cloud providers block all network traffic to and from [countries sanctioned by the United States](https://en.wikipedia.org/wiki/United_States_sanctions#Countries), including AWS and Google Cloud. Users in or visiting those countries may wish to find a European-based hosting provider to run their Outline Server on.
@@ -39,6 +42,7 @@ Finally, if you want to go with DigitalOcean you can use my affiliate link to re
 For this guide we are not going to use an automatic provider in Outline Manager, rather we will manually configure a Linux server. We are using Debian 10. Other distros may work as well, but you may need to install Docker manually.
 
 ### Step 3 — Configure Your Server
+
 First, we need to update our system and install `curl`. Connect to your server via SSH and enter the following commands:
 
 Next open Outline Manager on your local machine and you should be given 4 options to configure a server. Select the “Set Up” button under the “Advanced, Set up Outline anywhere” option.
@@ -52,14 +56,15 @@ Connect to your server over SSH and paste the code from above in the Outline Man
 After it completes, it will give you a long line starting with `{"apiUrl"` (depending on your Terminal’s color support it will appear as green). Copy that line, and paste it in the second box back in Outline Manager. Then, click “Done”.
 
 ### Step 4 — Connect Your Devices
+
 Download the Outline app on the device you want to connect. Outline has applications for the following operating systems:
 
- * [Android](https://play.google.com/store/apps/details?id=org.outline.android.client)
- * [iOS](https://apps.apple.com/app/id1356177741)
- * [Windows](https://raw.githubusercontent.com/Jigsaw-Code/outline-releases/master/client/stable/Outline-Client.exe)
- * [macOS](https://apps.apple.com/app/id1356178125)
- * [Chrome OS](https://play.google.com/store/apps/details?id=org.outline.android.client)
- * [Linux](https://raw.githubusercontent.com/Jigsaw-Code/outline-releases/master/client/stable/Outline-Client.AppImage)
+* [Android](https://play.google.com/store/apps/details?id=org.outline.android.client)
+* [iOS](https://apps.apple.com/app/id1356177741)
+* [Windows](https://raw.githubusercontent.com/Jigsaw-Code/outline-releases/master/client/stable/Outline-Client.exe)
+* [macOS](https://apps.apple.com/app/id1356178125)
+* [Chrome OS](https://play.google.com/store/apps/details?id=org.outline.android.client)
+* [Linux](https://raw.githubusercontent.com/Jigsaw-Code/outline-releases/master/client/stable/Outline-Client.AppImage)
 
 You should also be able to use any [Shadowsocks client](https://shadowsocks.org/en/download/clients.html), including alternative clients for each operating system and a client for OpenWRT routers. And like with the Manager, you can download Outline releases from [their GitHub page](https://github.com/Jigsaw-Code/outline-client/releases) as well.
 
@@ -68,6 +73,7 @@ Back in Outline Manager, select your server in the sidebar. On the far right sid
 Once you add your server, that’s it! In the Outline clients it’s just a matter of pressing “Connect”, and all your traffic will be proxied through your server! You can use this connection to keep your traffic safe when you’re on public WiFi networks, or just to keep your browsing hidden from your ISP.
 
 ### Conclusion
+
 That should be all you need to get your very own VPN up and running! **Do not share your access key with anyone**, this is the key starting with `ss://`. If you want to grant other users access to your server, click “Add a new key” in Outline Manager and give them a new, unique key. If you share a key, anyone with knowledge of that key will be able to see all the traffic of anyone else using the key. It should go without saying, but don’t send people keys over unencrypted channels: No Facebook Messenger, no emails. Stick with [Signal, Wire, or Briar](/real-time-communication) if you don’t have a secure app already.
 
 With Outline, there is no need to worry about the security of your server. Everything is set to automatically update with no intervention required! Another thing to note: The port on your Outline server is randomly generated. This is so the port can’t be easily blocked by nation/ISP level censors, however, this VPN may not function on some networks that only allow access to port 80/443, or on servers that only allow traffic on certain ports. These are edge-cases, but something to keep in mind, and if they apply you may need to look for more technical options.

docs/blog/2019/10/05/understanding-vpns.md

@@ -18,6 +18,7 @@ Furthermore, this doesn't only happen at your home. Every network you connect to
 Fortunately, more and more websites are beginning to use HTTPS, thanks to free certificates from Let's Encrypt and Cloudflare. But many sites still don't (at least by default), and even HTTPS doesn't solve the problem that your ISP can see the websites you're visiting.
 
 ## How VPNs can protect us
+
 Luckily, you can hide all this information from your ISP using a VPN. Instead of letting your ISP see all the websites you visit, VPNs only let them see that you are connected (using an **encrypted** connection) to the VPN provider's servers.
 
 *Basically, instead of connecting directly to the Internet, you connect to one of your VPN providers’ servers, which connects you to the Internet.*
@@ -25,6 +26,7 @@ Luckily, you can hide all this information from your ISP using a VPN. Instead of
 So, `you <----> Internet` becomes `you <----> VPN <----> Internet` and your ISP can only see the `you <----> VPN` part.
 
 ## More ways VPNs can protect us
+
 So VPNs are pretty handy, but hiding your traffic from your ISP isn't the only advantage a VPN provides.
 
 Did you know that if you’re on a public Wi-Fi network, <mark>anyone connected to the same network can see as much as your ISP can</mark>? Obviously, this isn’t an issue at home, unless you have very creepy neighbors and an open Wi-Fi network. However, it is a problem in public places with Wi-Fi, such as cafés.
@@ -38,6 +40,7 @@ This also provides an added side-benefit: Most VPN providers have servers in man
 But even if you use a different IP address than your “normal” one,  isn’t it still personally identifiable? Nope. Many people use the same  server, letting the websites you visit see only that you’re using the  same VPN as many other people.
 
 ## Drawbacks of a VPN
+
 But VPNs aren't all powerful tools to protect your privacy. In fact, there are a number of glaring issues that should not be overlooked when making the decision to use one.
 
 Most importantly, using a VPN only *shifts* the power to view your traffic from your ISP to the VPN provider itself. That means that all the traffic your ISP used to be able to see, your VPN provider will still be able to. Therefore, choosing a trustworthy VPN is important. Many will be able to find a provider that they can trust more than their ISP, but some may not.
@@ -47,6 +50,7 @@ Using a commercial VPN provider is almost like entrusting your data to a black b
 Finally, using a VPN will not make you anonymous in any way. Your VPN provider or especially dedicated attackers will be able to trace a connection back to you fairly trivially. Your VPN provider will also likely have a money trail leading back to you.
 
 ## So what?
+
 If you're looking for perfect anonymity, there are better options. Software like the Tor Browser provides privacy and anonymity *by design*, whereas VPNs provide privacy based on trust alone. You cannot rely on "no logging" claims to protect you.
 
 If you just need protection on a public Wi-Fi network, from your ISP, or just from copyright warnings in the mail, a VPN might be the solution for you.

docs/blog/2019/10/30/choosing-a-vpn.md

@@ -7,6 +7,7 @@ template: overrides/blog.html
 So [you know what a VPN is](/blog/2019/10/05/understanding-vpns), but there are so many options to choose from! Well before we dive into this, let's get one thing off the bat:
 
 ## Avoid Free VPNs
+
 Privacy-respecting VPNs can provide their service because you pay them for it. Free VPNs are **worse** than your ISP when it comes to respecting your privacy, because **selling your data is the only way they can make money**, whereas an ISP is primarily paid for by you.
 
 > If you’re not paying for it, you’re the product.
@@ -14,49 +15,56 @@ Privacy-respecting VPNs can provide their service because you pay them for it. F
 This isn't to say all paid VPNs automatically become trustworthy, far from it. In fact many paid VPN providers have been known to or suspected to have sold their users' data or have done some otherwise shady things with it. Always completely evaluate the VPN provider you choose, rather than just take theirs or anyone else's word for it. The main takeaway here is that it is impossible to provide a service like a VPN — which requires servers, bandwidth, time, and energy to maintain — for free for thousands of users, without having some sort of other monetization model.
 
 ## Choosing a VPN
+
 Alright, now we can get into it. The first thing we need to decide is _why_ exactly you need a VPN. Most people will fall into the following two camps:
 
 ### 1. Avoiding Geographical Restrictions
+
 Maybe you want to watch BBC online, possibly avoid creeps at cafés, but don’t really care about your VPN logging your traffic — just like your ISP does.
 
 **Therefore**: You want a VPN with servers in countries like US, UK — basically where services like Netflix work. (Tip: Netflix is continually banning VPNs, so be sure to use one that isn’t blocked. You might want to look into the [r/NetflixViaVPN](https://www.reddit.com/r/NetflixViaVPN) Subreddit for help with this one).
 
 ### 2. Maximizing Your Privacy Online
+
 Being **Privacy** Guides, this is the big one for us. If you really care about your privacy, you'll want to look for a provider that at the very least does the following:
 
- * Supports modern technologies like OpenVPN or WireGuard.
- * Accepts anonymous payments like cash, gift cards, or cryptocurrencies.
- * Provides strong, future-proof encryption for their connections.
- * And, is public about their leadership and ownership.
+* Supports modern technologies like OpenVPN or WireGuard.
+* Accepts anonymous payments like cash, gift cards, or cryptocurrencies.
+* Provides strong, future-proof encryption for their connections.
+* And, is public about their leadership and ownership.
 
 These 4 points should always be considered when you're evaluating a VPN provider. Additionally, note what jurisdiction the provider is incorporated in, and where their servers are located. This is probably the most important factor to consider, and also the most time-consuming, as privacy laws in various countries vary wildly.
 
 Let me explain what these points mean exactly in more detail, so you know what to look for.
 
 ## Modern Technology
+
 You should be able to connect to your VPN with any **OpenVPN** client. L2TP, PPTP, and IPSec are all insecure technologies that should not be used. A new technology called **WireGuard** looks very promising, but is still in active development and not recommended for use.
 
 While we're looking at technology, take a look at whether your provider has their own client for you to download and connect with. These applications usually make using your VPN a lot simpler, and sometimes safer. If they do, ask the following questions:
 
- * **Is this client open-source?** Having an open-source client is important because it allows you or anyone else to audit the code and see exactly what's happening. Closed source clients are essentially a black box you'd be putting all your data into, not the best idea!
- * **Does the client have a killswitch?** Not many generic OpenVPN clients come with this functionality, but many custom VPN clients will. A killswitch option allows you to completely disable your internet connection when the VPN is disconnected. This will make sure that you don't accidentally connect to the internet with your ISP's connection.
+* **Is this client open-source?** Having an open-source client is important because it allows you or anyone else to audit the code and see exactly what's happening. Closed source clients are essentially a black box you'd be putting all your data into, not the best idea!
+* **Does the client have a killswitch?** Not many generic OpenVPN clients come with this functionality, but many custom VPN clients will. A killswitch option allows you to completely disable your internet connection when the VPN is disconnected. This will make sure that you don't accidentally connect to the internet with your ISP's connection.
 
 ## Anonymous Payments
+
 This one's an easy one. Take a look at how you're able to pay for your provider's subscription. Some providers will take cash in the mail as payment, a great way to pay without leaving a digital money trail. Others will allow you to pay with gift cards from major retailers like Amazon, Target, and Wal-Mart (which you can hopefully obtain anonymously with cash, replacing the mail middleman from before). Still others will accept various cryptocurrencies.
 
 If not leaving a money trail is important, you'll want to make sure you aren't paying with something linked to you financially, like a credit or debit card, or PayPal. If your provider doesn't accept the payment forms above, you aren't entirely out of luck however. You can still use a prepaid debit card to pay for things as anonymously as possible. But consider: If your provider isn't dedicated to making easy, anonymous payment alternatives available to you, how focused are they on your privacy?
 
 ## Strong Security
+
 Most providers using OpenVPN will also be using strong encryption methods, but still make sure you double-check before choosing a provider. What you'll want to look for from your provider at a minimum is:
 
- * **RSA-2048 encryption.** Ideally, they should support RSA-4096 connections, for maximum security.
- * **Perfect Forward Secrecy (PFS).** This technology makes each VPN session use a different key every time, so that if an attacker manages to decrypt one of your connections, they won't also be able to see all your other data.
+* **RSA-2048 encryption.** Ideally, they should support RSA-4096 connections, for maximum security.
+* **Perfect Forward Secrecy (PFS).** This technology makes each VPN session use a different key every time, so that if an attacker manages to decrypt one of your connections, they won't also be able to see all your other data.
 
 In addition, look into whether your provider has ever had their security practices audited by an independent third-party. For example, TunnelBear [publishes](https://cure53.de/summary-report_tunnelbear_2018.pdf) yearly audits of their entire service, or Mullvad, which has [published](https://cure53.de/pentest-report_mullvad_v2.pdf) a comprehensive security audit of their client applications.
 
 Independent audits are important because, while ultimately the actual security of the service will come down to _trusting_ the providers, a successful security audit demonstrates that the provider at least has the _capability_ to provide you with a secure connection, instead of just taking their claims at face value.
 
 ## Public Trust
+
 You want to remain private, but your provider shouldn't. If your provider is hiding their ownership information and their leadership from you behind some Panamanian shell company, what other business practices might they be hiding?
 
 > You wouldn't trust your finances to someone with a fake identity, so why trust them with your internet data?
@@ -66,6 +74,7 @@ Find out where your choice is incorporated. Who owns it? What other companies ha
 Frequent transparency reports are a huge plus too. They should publish information related to government requests, so you know what their responses look like. All VPN providers will need to respond to legitimate legal requests, but does your choice reject or counter as many as possible?
 
 ## So what next?
+
 If you're currently using a commercial VPN, use this information to evaluate their business. Do they seem trustworthy?
 
 At Privacy Guides we've [evaluated](/vpn) a huge number of VPN providers along similar criteria to these. In our opinion, as of October 2019, Mullvad leads the pack with respect to all these criteria, with IVPN and ProtonVPN falling just slightly behind but catching up quickly. There are still a huge number of providers out there, however. The way to find the best solution for you, is by researching providers with _your_ criteria in mind.

docs/blog/2019/11/09/firefox-privacy.md

@@ -16,22 +16,27 @@ Firefox is fantastic out of the box, but where it really shines is customizabili
 Before we get started, there's a couple things that should be noted that are not only applicable to this guide, but privacy in general:
 
 ## Considerations
+
 Protecting your privacy online is a tricky proposition, there are so many factors to take into consideration on an individual basis for any one guide or site to cover comprehensively. You will need to take into account things like threat modeling and your general preferences before making any changes or following any recommendations.
 
 ### Threat Modeling
+
 *What is [threat modeling](/threat-modeling/)?* Consider who you're trying to keep your data hidden from. Do you need to keep your information hidden from the government, or just the average stranger? Maybe you're just looking for alternatives to Big Tech Corporations like Google and Facebook. You'll also want to consider how much time and resources you want to spend hiding your data from those "threats". Some solutions might not be feasible from a financial or time standpoint and you'll have to make compromises. Taking all those questions into account creates a basic *threat model* for you to work with.
 
 We want to publish a more complete guide on threat modeling in the future, so stay tuned to this blog for further updates. But for now, just keep those thoughts in the back of your mind as we go through this article. Not every solution might be for you, or conversely you may need to pay more attention to certain areas we aren't able to cover completely.
 
 ### Browser Fingerprinting
+
 Another consideration is your browser's fingerprint. When you visit a web page, your browser voluntarily sends information about its configuration, such as available fonts, browser type, and add-ons. If this combination of information is unique, it may be possible to identify and track you without using more common tracking tools, like cookies.
 
 That's right, add-ons contribute to your fingerprint. Another thing a lot of people miss when they are setting up their browser is that <mark>more is not always the best solution to your problems</mark>. You don't need to use every add-on and tweak that offers privacy, and the more you configure the greater chance there is that your browser will appear more unique to websites. Think about your specific situation and pick and choose the add-ons and tweaks we recommend only if you think they will help *you*.
 
 ## Firefox Privacy Settings
+
 We'll start off with the easy solutions. Firefox has a number of privacy settings built in, no add-ons necessary! Open your *Options* page (*Preferences* on macOS) and we'll go through them one at a time.
 
 ### DNS over HTTPS
+
 DNS (or the Domain Name System) is what your browser uses to turn domain names like `privacyguides.org` into IP addresses like `145.239.169.56`. Because computers can only make connections to IP addresses, it's necessary to use DNS every time you visit a new domain. But DNS is unencrypted by default, that means everyone on your network (including your ISP) can view what domains you're looking up, and in some situations even change the IP answers to redirect you to their own websites! Encrypting your DNS traffic can shield your queries and add some additional protection to your browsing.
 
 Encrypted DNS takes many forms: DNS over HTTPS (DoH), DNS over TLS, DNSCrypt, etc., but they all accomplish the same thing. They keep your DNS queries private from your ISP, and they make sure they aren't tampered with in transit between your DNS provider. Fortunately, Firefox recently added native DoH support to the browser. On the **General** page of your preferences, scroll down to and open **Network Settings**. At the bottom of the window you will be able to select "Enable DNS over HTTPS" and choose a provider:
@@ -43,6 +48,7 @@ Keep in mind that by using DoH you're sending all your queries to a single provi
 It should also be noted that even with DoH, your ISP will still be able to see what domain you're connecting to because of a technology called Server Name Indication (SNI). Until SNI is encrypted as well, there's no getting around it. Encrypted SNI (eSNI) is in the works — and can actually be [enabled on Firefox](https://blog.cloudflare.com/encrypt-that-sni-firefox-edition/) today — but it only works with a small number of servers, mainly ones operated by Cloudflare, so its use is limited currently. Therefore, while DoH provides some additional privacy and integrity protections, its use as a privacy tool is limited until other supplemental tools like eSNI and [DNSSEC](https://www.icann.org/resources/pages/dnssec-what-is-it-why-important-2019-03-05-en) are finalized and implemented.
 
 ### Change Your Search Engine
+
 This is an easy one. In the Search tab, change your Default Search Engine to something other than Google.
 
 ![Screenshot of the search engine preferences](/assets/img/blog/firefox-privacy-2.png){:.img-fluid .w-75 .mx-auto .d-block}
@@ -50,6 +56,7 @@ This is an easy one. In the Search tab, change your Default Search Engine to som
 Out of the built-in options, DuckDuckGo is the most privacy respecting service, but there's a number of [search engines we would recommend](https://privacyguides.org/providers/search-engines/) that can be easily installed as well.
 
 ### Enhanced Tracking Protection
+
 Now we'll delve into the biggest set of options for people like us, Firefox's Privacy & Security tab. First up is their Enhanced Tracking Protection. This set of filters is set to *Standard* by default, but we'll want to change it to *Strict* for more comprehensive coverage.
 
 ![Screenshot of strict tracking protection enabled](/assets/img/blog/firefox-privacy-3.png){:.img-fluid .w-75 .mx-auto .d-block}
@@ -63,11 +70,13 @@ Disabling Enhanced Tracking Protection will of course decrease your privacy on t
 Another benefit of Firefox's Enhanced Tracking Protection is that it can actually speed up your browsing! Advertising networks and social media embeds can sometimes make your browser download huge files just to show an ad or a like button, and blocking those out trims the fat, in a sense.
 
 ### Disabling Telemetrics
+
 When you use Firefox, Mozilla collects information about what you do, what kind of extensions you have installed, and various other aspects of your browser. While they claim to do this in a privacy-respecting way, sending as little data as possible is always preferred from a privacy standpoint, so we would go ahead and uncheck all the boxes under **Firefox Data Collection and Use** just to be safe.
 
 ![Screenshot of Firefox data collection checkboxes](/assets/img/blog/firefox-privacy-5.png){:.img-fluid .w-75 .mx-auto .d-block}
 
 ### Clearing Cookies and Site Data
+
 This one is for more advanced users, so if you don't understand what this is doing you can skip this section. Firefox provides the option to delete all your cookies and site data every time Firefox is closed. Cookies and site data are little pieces of information sites store in your browser, and they have a myriad of uses. They are used for things like keeping you logged in and saving your website preferences, but they also can be used to track you across different websites. By deleting your cookies regularly, your browser will appear clean to websites, making you harder to track.
 
 ![Screenshot of cookies and site data](/assets/img/blog/firefox-privacy-6.png){:.img-fluid .w-75 .mx-auto .d-block}
@@ -75,6 +84,7 @@ This one is for more advanced users, so if you don't understand what this is doi
 This will likely log you out of websites quite often, so make sure that's an inconvenience you're willing to put up with for enhanced privacy.
 
 ## Firefox Privacy Add-ons
+
 Of course, just the browser settings alone won't go quite far enough to protect your privacy. Mozilla has made a lot of compromises in order to provide a more functional browsing experience for the average user, which is completely understandable. But, we can take it even further with some browser add-ons that prevent tracking and make your experience more private and secure.
 
 There are a number of [fantastic add-ons for Firefox](https://privacyguides.org/browsers/#addons), but they aren't all necessary for everyone. Some of them provide redundant functionality to each other, and some of them accomplish similar tasks to the settings we've enabled above.
@@ -83,16 +93,18 @@ When you are installing add-ons for Firefox, consider whether you actually need
 
 Keeping all that in mind, there are three add-ons I would consider necessary for virtually every user:
 
- * uBlock Origin
- * HTTPS Everywhere
- * Decentraleyes
+* uBlock Origin
+* HTTPS Everywhere
+* Decentraleyes
 
 Out of the box, these add-ons only complement the settings we've described in this article already, and they have sane defaults that won't break the sites you visit.
 
 ### uBlock Origin
+
 [**uBlock Origin**](https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/) is an efficient ad- and tracker-blocker that is easy on memory, and yet can load and enforce thousands more filters than competing blockers. We trust it because it is completely open-source. Additionally, unlike its competitors it has no monetization strategy: There's no "Acceptable" ads program or a similar whitelist like many other adblockers feature.
 
 ### HTTPS Everywhere
+
 HTTPS is the secure, encrypted version of HTTP. When you see an address starting with https:// along with the padlock in your browser's address bar, you know that your connection to the website is completely secure. This is of course important when you're logging into websites and sending your passwords and emails in a form. But it also prevents people on your network and your ISP from snooping in on what you're reading, or changing the contents of an unencrypted webpage to whatever they want.
 
 Therefore, [**HTTPS Everywhere**](https://addons.mozilla.org/en-US/firefox/addon/https-everywhere) is a must-have extension, all it does is upgrade your HTTP connections to HTTPS wherever possible. And because it works silently in the background, you probably will never notice it! We trust HTTPS Everywhere because it is completely open-source, and is developed by the [Electronic Frontier Foundation](https://www.eff.org/https-everywhere), a non-profit dedicated to private and secure technologies.
@@ -100,17 +112,21 @@ Therefore, [**HTTPS Everywhere**](https://addons.mozilla.org/en-US/firefox/addon
 Of course, it only works with sites that support HTTPS on the server's side, so you'll still need to keep an eye on your address bar to make sure you're securely connected. But fortunately more and more websites have implemented HTTPS, thanks to the advent of free certificates from organizations like Let's Encrypt.
 
 ### Decentraleyes
+
 When you connect to many websites, your browser is most likely making connections to a myriad of "Content Delivery Networks" like Google Fonts, Akamai, and Cloudflare, to download fonts and Javascript that make the website run. This generally makes websites look and feel better, but it means you're constantly making connections to these servers, allowing them to build a fairly accurate tracking profile of you.
 
 [**Decentraleyes**](https://addons.mozilla.org/en-US/firefox/addon/decentraleyes) works by impersonating those CDNs locally in your browser. When a website wants to download a program like jQuery, instead of connecting to a remote CDN Decentraleyes will serve the file from its own cache of files. This means that you'll won't have to make remote CDN connections for the files that Decentraleyes supports, and therefore the remote CDNs can't track your browser. Decentraleyes may even speed up your browsing, because everything is stored locally instead of on a far-away server. Everything happens instantly, and you won't see a difference in the websites you visit.
 
 ### Additional Firefox Privacy Add-ons
+
 There is of course more functionality that can be achieved at the expense of more time spent configuring your browser and reduced website functionality. If you're looking for the most privacy options possible however, they may be for you. Check out the page on [Browser add-ons at Privacy Guides](https://privacyguides.org/browsers/#addons) for further information and additional resources.
 
 ## More Privacy Functionality
+
 Firefox has developed a number of other privacy tools that can be used to enhance your privacy or security. They may be worth looking into, but they have some drawbacks that would prevent me from recommending them outright.
 
 ### Firefox Private Network
+
 **Firefox Private Network** is a new extension developed by Mozilla that serves as a [Virtual Private Network](/blog/2019/10/05/understanding-vpns) (VPN), securing you on public WiFi networks and other situations where you might trust Mozilla more than the ISP or network administrator. It is free in beta, but will likely be available at some subscription pricing once the test pilot ends.
 
 Firefox Private Network is still just a VPN, and there are a number of drawbacks you would want to consider before using it. Ultimately, your VPN provider of choice will be able to see your web traffic. All you are accomplishing is shifting the trust from your network to the VPN provider, in this case *Cloudflare*, the operators behind this service.
@@ -122,14 +138,17 @@ And finally, Cloudflare and Mozilla are both US companies. There are a number of
 If you require a Virtual Private Network, we would look elsewhere. There are a number of [good VPN providers](https://privacyguides.org/providers/vpn/) like Mullvad that will provide a better experience at a low cost.
 
 ### Multi-Account Containers
+
 Mozilla has an in-house add-on called [**Multi-Account Containers**](https://support.mozilla.org/en-US/kb/containers) that allows you to isolate websites from each other. For example, you could have Facebook in a container separate from your other browsing. In this situation, Facebook would only be able to set cookies with your profile on sites within the container, keeping your other browsing protected.
 
 A containers setup may be a good alternative to techniques like regularly deleting cookies, but requires a lot of manual intervention to setup and maintain. If you want complete control of what websites can do in your browser, it's definitely worth looking into, but we wouldn't call it a necessary addition by any means.
 
 ## Additional Resources
+
 [ghacks user.js](https://github.com/ghacksuserjs/ghacks-user.js) — For more advanced users, the ghacks user.js is a "configuration file that can control hundreds of Firefox settings [...] which aims to provide as much privacy and enhanced security as possible, and to reduce tracking and fingerprinting as much as possible - while minimizing any loss of functionality and breakage".
 
 [Mozilla's Privacy Policy](https://www.mozilla.org/en-US/privacy/) — Of course, we always recommend reading through the privacy statement of any organization you deal with, and Mozilla is no exception.
 
 ## Firefox Privacy Summary
+
 In conclusion, we believe that Firefox is the most promising browser for privacy-conscious individuals. The non-profit behind it seems truly dedicated to promoting user control and privacy, and the good defaults coupled with the sheer customizability of the browser allow you to truly protect your information when you browse the web.

docs/blog/2021/09/14/welcome-to-privacy-guides.md

@@ -17,11 +17,13 @@ We chose the name Privacy Guides because it represents two things for us as an o
 As a name, it moves us past recommendations of various tools and focuses us more on the bigger picture. We want to provide more  _education_ — rather than  _direction_ — surrounding privacy-related topics. You can see the very beginnings of this work in our new page on  [threat modeling](https://privacyguides.org/threat-modeling/), or our [VPN](https://privacyguides.org/providers/vpn/) and [Email Provider](https://privacyguides.org/providers/email/)  recommendations, but this is just the start of what we eventually hope to accomplish.
 
 ### Website Development
+
 Our project has always been community-oriented and open-sourced. The source code for PrivacyTools is currently archived at [https://github.com/privacytools/privacytools.io](https://github.com/privacytools/privacytools.io). This repository will remain online as an archive of everything on PrivacyTools up to this transition.
 
 The source code for our new website is available at [https://github.com/privacyguides/privacyguides.org](https://github.com/privacyguides/privacyguides.org). All updates from PrivacyTools have been merged into this new repository, and this is where all future work will take place.
 
 ### Services
+
 PrivacyTools also runs a number of online services in use by many users. Some of these services are federated, namely Mastodon, Matrix, and PeerTube. Due to the technical nature of federation, it is impossible for us to change the domain name on these services, and because we cannot guarantee the future of the privacytools.io domain name we will be shutting down these services in the coming months.
 
 We strongly urge users of these services to migrate to alternative providers in the near future. We hope that we will be able to provide enough time to make this as seamless of a transition as possible for our users.
@@ -33,11 +35,13 @@ Other services being operated by PrivacyTools currently will be discontinued. Th
 Our future direction for online services is uncertain, but will be a longer-term discussion within our community after our work is complete on this initial transition. We are very aware that whatever direction we move from here will have to be done in a way that is sustainable in the very long term.
 
 ### r/PrivacyGuides
+
 PrivacyTools has a sizable community on Reddit, but to ensure a unified image we have created a new Subreddit at [r/PrivacyGuides](https://www.reddit.com/r/PrivacyGuides/) that we encourage all Reddit users to join.
 
 In the coming weeks our current plan is to wind down discussions on r/privacytoolsIO. We will be opening r/PrivacyGuides to lots of the discussions most people are used to shortly, but encouraging general “privacy news” or headline-type posts to be posted on [r/Privacy](https://www.reddit.com/r/privacy/)  instead. In our eyes, r/Privacy is the “who/what/when/where” of the privacy community on Reddit, the best place to find the latest news and information; while r/PrivacyGuides is the “how”: a place to share and discuss tools, tips, tricks, and other advice. We think focusing on these strong points will serve to strengthen both communities, and we hope the good moderators of r/Privacy agree :)
 
 ### Final Thoughts
+
 The former active team at PrivacyTools universally agrees on this direction towards Privacy Guides, and will be working exclusively on Privacy Guides rather than any “PrivacyTools” related projects. We intend to redirect PriavcyTools to new Privacy Guides properties for as long as possible, and archive existing PrivacyTools work as a pre-transition snapshot.
 
 Privacy Guides additionally welcomes back PrivacyTools’ former sysadmin [Jonah](https://twitter.com/JonahAragon), who will be joining the project’s leadership team.
@@ -50,9 +54,9 @@ We are all very excited about this new brand and direction, and hope to have you
 
 **_Privacy Guides_** _is a socially motivated website that provides information for protecting your data security and privacy._
 
- * [Join r/PrivacyGuides on Reddit](https://www.reddit.com/r/privacyguides)
- * [Follow @privacy_guides on Twitter](https://twitter.com/privacy_guides)
- * [Collaborate with us on GitHub](https://github.com/privacyguides/privacyguides.org)
- * [Join our chat on Matrix](https://matrix.to/#/#privacyguides:aragon.sh)
+* [Join r/PrivacyGuides on Reddit](https://www.reddit.com/r/privacyguides)
+* [Follow @privacy_guides on Twitter](https://twitter.com/privacy_guides)
+* [Collaborate with us on GitHub](https://github.com/privacyguides/privacyguides.org)
+* [Join our chat on Matrix](https://matrix.to/#/#privacyguides:aragon.sh)
 
 The contact for this story is Jonah, who is reachable on Twitter [@JonahAragon](https://twitter.com/JonahAragon), Matrix [@jonah:aragon.sh](https://matrix.to/#/@jonah:aragon.sh), or Signal 763-308-5533.

docs/blog/2021/12/01/firefox-privacy-2021-update.md

@@ -11,9 +11,11 @@ A lot changed between 2019 and now, not least in regards to Firefox. Since our l
 Now that so many privacy features are built into the browser, there is little need for extensions made by third-party developers. Accordingly, we have updated our very outdated [browser](https://privacyguides.org/browsers/) section. If you've got an old browser profile we suggest **creating a new one**. Some of the old advice may make your browser *more* unique.
 
 #### Privacy Tweaks "about:config"
+
 We're no longer recommending that users set `about:config` switches manually. Those switches need to be up to date and continuously maintained. They should be studied before blindly making modifications. Sometimes their behaviour changes in between Firefox releases, is superseded by other keys or they are  removed entirely. We do not see any point in duplicating the efforts of the community [Arkenfox](https://github.com/arkenfox/user.js) project. Arkenfox has very good documentation in their [wiki](https://github.com/arkenfox/user.js/wiki) and we use it ourselves.
 
 #### LocalCDN and Decentraleyes
+
 These extensions aren't required with Total Cookie Protection (TCP), which is enabled if you've set Enhanced Tracking Protection (ETP) to **Strict**.
 
 Replacing scripts on CDNs with local versions is not a comprehensive solution and is a form of [enumeration of badness](https://www.ranum.com/security/computer_security/editorials/dumb/). While it may work with some scripts that are included it doesn't help with most other third-party connections.
@@ -21,20 +23,25 @@ Replacing scripts on CDNs with local versions is not a comprehensive solution an
 CDN extensions never really improved privacy as far as sharing your IP address was concerned and their usage is fingerprintable as this Tor Project developer [points out](https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/22089#note_2639603). They are the wrong tool for the job and are not a substitute for a good VPN or Tor. Its worth noting the [resources](https://git.synz.io/Synzvato/decentraleyes/-/tree/master/resources) for Decentraleyes are hugely out of date and would not be likely used anyway.
 
 #### NeatURLs and ClearURLS
+
 Previously we recommended ClearURLs to remove tracking parameters from URLs you might visit. These extensions are no longer needed with uBlock Origin's [`removeparam`](https://github.com/gorhill/uBlock/wiki/Static-filter-syntax#removeparam) feature.
 
 #### HTTPS Everywhere
+
 The EFF announced back in September they were [deprecating HTTPS-Everywhere](https://www.eff.org/deeplinks/2021/09/https-actually-everywhere) as most browsers now have an HTTPS-Only feature. We are pleased to see privacy features built into the browser and Firefox 91 introduced [HTTPS by Default in Private Browsing](https://blog.mozilla.org/security/2021/08/10/firefox-91-introduces-https-by-default-in-private-browsing/).
 
 #### Multi Account Containers and Temporary Containers
+
 Container extensions aren't as important as they used to be for privacy now that we have [Total Cookie Protection](https://blog.mozilla.org/security/2021/02/23/total-cookie-protection/).
 
 Multi Account Container will still have some use if you use [Mozilla VPN](https://en.wikipedia.org/wiki/Mozilla_VPN) as it is going to be [integrated](https://github.com/mozilla/multi-account-containers/issues/2210) allowing you to configure specified containers to use a particular VPN server. Another use might be if you want to login to multiple accounts on the same domain.
 
 #### Just-In-Time Compilation (JIT)
+
 What is "Disable JIT" in Bromite? This option disables the JavaScript performance feature [JIT](https://en.wikipedia.org/wiki/Just-in-time_compilation). It can increase security but at the cost of performance. Those trade-offs vary wildly and are explored in [this](https://microsoftedge.github.io/edgevr/posts/Super-Duper-Secure-Mode/) publication by Johnathan Norman from the Microsoft Edge team. This option is very much a security vs performance option.
 
 #### Mozilla browsers on Android
+
 We don't recommend any Mozilla based browsers on Android. This is because we don't feel that [GeckoView](https://mozilla.github.io/geckoview) is quite as secure as it could be as it doesn't support [site isolation](https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture), soon to be coming in desktop browsers or [isolated processes](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196).
 
 We also noticed that there isn't an option for [HTTPS-Only mode](https://github.com/mozilla-mobile/fenix/issues/16952#issuecomment-907960218). The only way to get something similar is to install the [deprecated](https://www.eff.org/deeplinks/2021/09/https-actually-everywhere) extension [HTTPS Everywhere](https://www.eff.org/https-everywhere).
@@ -42,6 +49,7 @@ We also noticed that there isn't an option for [HTTPS-Only mode](https://github.
 There are places which Firefox on Android shines for example browsing news websites where you may want to *partially* load some JavaScript (but not all) using medium or hard [blocking mode](https://github.com/gorhill/uBlock/wiki/Blocking-mode). The [reader view](https://support.mozilla.org/en-US/kb/view-articles-reader-view-firefox-android) is also pretty cool. We expect things will change in the future, so we're keeping a close eye on this.
 
 #### Fingerprinting
+
 Firefox has the ability to block known third party [fingerprinting resources](https://blog.mozilla.org/security/2020/01/07/firefox-72-fingerprinting/). Mozilla has [advanced protection](https://support.mozilla.org/kb/firefox-protection-against-fingerprinting) against fingerprinting (RFP is enabled with Arkenfox).
 
 We do not recommend extensions that promise to change your [browser fingerprint](https://blog.torproject.org/browser-fingerprinting-introduction-and-challenges-ahead/). Some of those extensions [are detectable](https://www.cse.chalmers.se/~andrei/codaspy17.pdf) by websites through JavaScript and [CSS](https://hal.archives-ouvertes.fr/hal-03152176/file/style-fingerprinting-usenix.pdf) methods, particularly those which inject anything into the web content.
@@ -50,4 +58,4 @@ This includes **all** extensions that try to change the user agent or other brow
 
 ---
 
-_Special thanks to [Thorin-Oakenpants](https://github.com/Thorin-Oakenpants) and [Tommy](https://tommytran.io) for their help with providing advice and further documentation during the research phase._
+*Special thanks to [Thorin-Oakenpants](https://github.com/Thorin-Oakenpants) and [Tommy](https://tommytran.io) for their help with providing advice and further documentation during the research phase.*

docs/bounty.md

@@ -1,7 +1,7 @@
 ---
+title: "Write for us!"
 icon: material/currency-usd
 ---
-
 Have some privacy knowledge? We would love your contributions! We are offering bounties between $100 and $300 per article on a variety of privacy-related topics and guides.
 
 If you are interested, please email [jonah@privacyguides.org](mailto:jonah@privacyguides.org) with the topic(s) you'd like to write about. **Written content must be original**, accurate, well-referenced, and meet a number of criteria prior to payout. Articles should typically be around 1000-2000 words, you want to get the point across entirely, but not overfilled with unnecessary information that makes it difficult for beginners to follow. Familiarity with GitHub and Markdown is not a must, but will make the process significantly easier for both of us.

docs/browsers.md

@@ -5,7 +5,9 @@ icon: octicons/browser-16
 These are our current web browser recommendations and settings. We recommend keeping extensions to a minimum: they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation.
 
 ## General Recommendations
+
 ### Tor Browser
+
 !!! recommendation
 
     ![Tor Browser logo](/assets/img/browsers/tor.svg){ align=right }
@@ -29,7 +31,9 @@ These are our current web browser recommendations and settings. We recommend kee
     - [:fontawesome-brands-git: Source](https://trac.torproject.org/projects/tor)
 
 ## Desktop Browser Recommendations
+
 ### Firefox
+
 !!! recommendation
 
     ![Firefox logo](/assets/img/browsers/firefox.svg){ align=right }
@@ -90,11 +94,13 @@ These are our current web browser recommendations and settings. We recommend kee
     - [:fontawesome-brands-git: Source](https://hg.mozilla.org/mozilla-central)
 
 ## Mobile Browser Recommendations
+
 On Android, Mozilla's engine [GeckoView](https://mozilla.github.io/geckoview/) has yet to support [site isolation](https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture) or enable [isolatedProcess](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196). Firefox on Android also doesn't yet have [HTTPS-Only mode](https://github.com/mozilla-mobile/fenix/issues/16952#issuecomment-907960218) built-in. We do not recommend Firefox or any Gecko based browsers at this time.
 
 On iOS all web browsers use [WKWebView](https://developer.apple.com/documentation/webkit/wkwebview), so all browsers on the App Store are essentially Safari under the hood.
 
 ### Bromite
+
 !!! recommendation
 
     ![Bromite logo](/assets/img/browsers/bromite.svg){ align=right }
@@ -122,6 +128,7 @@ On iOS all web browsers use [WKWebView](https://developer.apple.com/documentatio
     - [:fontawesome-brands-github: Source](https://github.com/bromite/bromite)
 
 ### Safari
+
 !!! recommendation
 
     ![Safari logo](/assets/img/browsers/safari.svg){ align=right }
@@ -173,6 +180,7 @@ On iOS all web browsers use [WKWebView](https://developer.apple.com/documentatio
     - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/us/app/safari/id1146562112)
 
 ## Additional Resources
+
 ### uBlock Origin
 
 !!! recommendation
@@ -199,6 +207,7 @@ On iOS all web browsers use [WKWebView](https://developer.apple.com/documentatio
     - [:fontawesome-brands-github: Source](https://github.com/gorhill/uBlock)
 
 ### AdGuard for Safari
+
 !!! recommendation
 
     ![AdGuard logo](/assets/img/browsers/adguard.svg){ align=right }
@@ -217,6 +226,7 @@ On iOS all web browsers use [WKWebView](https://developer.apple.com/documentatio
     - [:fontawesome-brands-git: Source](https://github.com/AdguardTeam/AdGuardForSafari)
 
 ### Terms of Service; Didn't Read
+
 !!! recommendation
 
     ![Terms of Service; Didn't Read logo](/assets/img/browsers/terms_of_service_didnt_read.svg){ align=right }

docs/calendar-contacts.md

@@ -5,9 +5,11 @@ icon: material/calendar
 Calendaring and contacts are some of the most sensitive data posess. Use only products that use end-to-end encryption (E2EE) at rest. This prevents a provider from reading your data.
 
 ## Software as a service (SaaS) only
+
 These products are included with an subscription to the respective [email providers](/providers/email).
 
 ### Tutanota
+
 !!! recommendation
 
     ![Tutanota logo](/assets/img/calendar-contacts/tutanota.svg#only-light){ align=right }
@@ -28,6 +30,7 @@ These products are included with an subscription to the respective [email provid
     - [:fontawesome-brands-github: Source](https://github.com/tutao/tutanota)
 
 ### Proton Calendar
+
 !!! recommendation
 
     ![Proton Calendar logo](/assets/img/calendar-contacts/proton-calendar.jpg){ align=right }
@@ -41,9 +44,11 @@ These products are included with an subscription to the respective [email provid
     - [:fontawesome-brands-github: Source](https://github.com/ProtonMail/WebClients)
 
 ## Self-hostable
+
 Some of these options are self-hostable, or able to be hosted by third party providers for a fee:
 
 ### EteSync
+
 !!! recommendation
 
     ![EteSync logo](/assets/img/calendar-contacts/etesync.svg){ align=right }
@@ -62,6 +67,7 @@ Some of these options are self-hostable, or able to be hosted by third party pro
     - [:fontawesome-brands-github: Source](https://github.com/etesync)
 
 ### Nextcloud
+
 !!! recommendation
 
     ![Nextcloud logo](/assets/img/calendar-contacts/nextcloud.svg){ align=right }
@@ -84,6 +90,7 @@ Some of these options are self-hostable, or able to be hosted by third party pro
     - [:fontawesome-brands-github: Source](https://github.com/nextcloud)
 
 ### DecSync
+
 !!! recommendation
 
     **DecSync** can be used to synchronize RSS, contacts, calendars and tasks without a server by using file synchronization software such as [Syncthing](/software/file-sharing/#sync).

docs/cloud.md

@@ -7,6 +7,7 @@ If you are currently using a Cloud Storage Service like Dropbox, Google Drive, M
 Trust your provider by using an alternative below that supports [end-to-end encryption (E2EE)](https://wikipedia.org/wiki/End-to-end_encryption).
 
 ### Nextcloud
+
 !!! recommendation
 
     ![Nextcloud logo](/assets/img/cloud/nextcloud.svg){ align=right }
@@ -32,6 +33,7 @@ Trust your provider by using an alternative below that supports [end-to-end encr
     - [:fontawesome-brands-github: Source](https://github.com/nextcloud)
 
 ### Proton Drive
+
 !!! recommendation
 
     ![Proton Drive logo](/assets/img/cloud/protondrive.svg){ align=right }
@@ -48,6 +50,7 @@ Trust your provider by using an alternative below that supports [end-to-end encr
     - [:fontawesome-brands-github: Source](https://github.com/ProtonMail/WebClients)
 
 ### Cryptee
+
 !!! recommendation
 
     ![Cryptee logo](./assets/img/cloud/cryptee.svg#only-light){ align=right }
@@ -61,6 +64,7 @@ Trust your provider by using an alternative below that supports [end-to-end encr
     - [:fontawesome-brands-github: Source](https://github.com/cryptee/web-client)
 
 ### Tahoe-LAFS (Advanced)
+
 !!! recommendation
 
     ![Tahoe-LAFS logo](./assets/img/cloud/tahoe-lafs.svg#only-light){ align=right }

docs/dns.md

@@ -5,6 +5,7 @@ icon: material/dns
 The [Domain Name System (DNS)](https://en.wikipedia.org/wiki/Domain_Name_System) is the 'phonebook of the Internet'. DNS translates domain names to [IP](https://en.wikipedia.org/wiki/Internet_Protocol) addresses so browsers and other services can load Internet resources, through a decentralized network of servers.
 
 ## What is DNS?
+
 When you visit a website, a numerical address is returned. For example, when you visit `privacyguides.org`, the address `192.98.54.105` is returned.
 
 DNS has existed since the [early days](https://en.wikipedia.org/wiki/Domain_Name_System#History) of the Internet. DNS requests made to and from DNS servers are **not** generally encrypted. In a residential setting, a customer is given servers by the [ISP](https://en.wikipedia.org/wiki/Internet_service_provider) via [Dynamic Host Configuration Protocol (DHCP)](https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol).
@@ -14,8 +15,10 @@ Unencrypted DNS requests are able to be easily **surveilled** and **modified** i
 Below, we discuss and provide a tutorial to prove what an outside observer may see using regular unencrypted DNS and [encrypted DNS](/dns/#what-is-encrypted-dns).
 
 ### Unencrypted DNS
+
 1. Using [`tshark`](https://www.wireshark.org/docs/man-pages/tshark.html) (part of the [Wireshark](https://en.wikipedia.org/wiki/Wireshark) project) we can monitor and record internet packet flow. This command records packets that meet the rules specified:
-   ```
+
+   ```bash
    tshark -w /tmp/dns.pcap udp port 53 and host 1.1.1.1 or host 8.8.8.8
    ```
 
@@ -60,42 +63,51 @@ If you run the Wireguard command above, the top pane shows the "[frames](https:/
 An observer could modify any of these packets.
 
 ## What is "encrypted DNS"?
+
 Encrypted DNS can refer to one of a number of protocols, the most common ones being:
 
 ### DNSCrypt
+
 [**DNSCrypt**](https://en.wikipedia.org/wiki/DNSCrypt) was one of the first methods of encrypting DNS queries. The [protocol](https://en.wikipedia.org/wiki/DNSCrypt#Protocol) operates on [port 443](https://en.wikipedia.org/wiki/Well-known_ports) and works with both the [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) or [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) transport protocols. DNSCrypt has never been submitted to the [Internet Engineering Task Force (IETF)](https://en.wikipedia.org/wiki/Internet_Engineering_Task_Force) nor has it gone through the [Request for Comments (RFC)](https://en.wikipedia.org/wiki/Request_for_Comments) process, so it has not been used widely outside of a few [implementations](https://dnscrypt.info/implementations). As a result, it has been largely replaced by the more popular [DNS over HTTPS (DoH)](/dns/#dns-over-https-doh).
 
 ### DNS over TLS (DoT)
+
 [**DNS over TLS (DoT)**](https://en.wikipedia.org/wiki/DNS_over_TLS) is another method for encrypting DNS communication that is defined in [RFC 7858](https://datatracker.ietf.org/doc/html/rfc7858). Support was first implemented in [Android 9](https://en.wikipedia.org/wiki/Android_Pie), [iOS 14](https://en.wikipedia.org/wiki/IOS_14), and on Linux in [systemd-resolved](https://www.freedesktop.org/software/systemd/man/resolved.conf.html#DNSOverTLS=) in version 237. Preference in the industry has been moving away from DoT to [DNS over HTTPS](/dns/#dns-over-https-doh) in recent years, as DoT is a [complex protocol](https://dnscrypt.info/faq/) and has varying compliance to the RFC across the implementations that exist. DoT also operates on a dedicated port 853 and that can be blocked easily by restrictive firewalls.
 
 ### DNS over HTTPS (DoH)
+
 [**DNS over HTTPS**](https://en.wikipedia.org/wiki/DNS_over_HTTPS) as defined in [RFC 8484](https://datatracker.ietf.org/doc/html/rfc8484) packages queries in the [HTTP/2](https://en.wikipedia.org/wiki/HTTP/2) protocol and provides security with [HTTPS](https://en.wikipedia.org/wiki/HTTPS). Support was first added in web browsers such as [Firefox 60](https://support.mozilla.org/en-US/kb/firefox-dns-over-https) and [Chrome 83](https://blog.chromium.org/2020/05/a-safer-and-more-private-browsing-DoH.html).
 
 Native implementations showed up in [iOS 14](https://en.wikipedia.org/wiki/IOS_14), [macOS 11](https://en.wikipedia.org/wiki/MacOS_11), [Microsoft Windows](https://docs.microsoft.com/en-us/windows-server/networking/dns/doh-client-support), and Android 13 (however it won't be enabled [by default](https://android-review.googlesource.com/c/platform/packages/modules/DnsResolver/+/1833144)). General Linux desktop support is waiting on the systemd [implementation](https://github.com/systemd/systemd/issues/8639) so installing third party software is still required as described [below](/dns/#linux).
 
 ## What can an outside party see?
+
 In this example we will record what happens when we make a DoH request:
 
 1. First, start `tshark`:
-   ```
+
+   ```bash
    tshark -w /tmp/dns_doh.pcap -f "tcp port https and host 1.1.1.1"
    ```
 
 2. Second, make a request with `curl`:
-   ```
+
+   ```bash
    curl -vI --doh-url https://1.1.1.1/dns-query https://privacyguides.org
    ```
 
 3. After making the request, we can stop the packet capture with <kbd>CTRL</kbd> + <kbd>C</kbd>.
 
 4. Analyse the results in Wireshark:
-   ```
+
+   ```bash
    wireshark -r /tmp/dns_doh.pcap
    ```
 
 We can see the [connection establishment](https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment) and [TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) that occurs with any encrypted connection. When looking at the "application data" packets that follow, none of them contain the domain we requested or the IP address returned.
 
 ## Why **shouldn't** I use encrypted DNS?
+
 In locations where there is internet filtering (or censorship), visiting forbidden resources may have its own consequences which you should consider in your [threat model](/threat-modeling/). We do **not** suggest the use of encrypted DNS for this purpose. Use [Tor](https://torproject.org) or a [VPN](/providers/vpn/) instead. If you're using a VPN, you should use your VPN's DNS servers. When using a VPN, you are already trusting them with all your network activity. We made this flow chart to describe when you *should* use "encrypted DNS":
 
 ``` mermaid
@@ -116,15 +128,18 @@ graph TB
 When we do a DNS lookup, it's generally because we want to access a resource. Below, we will discuss some of the methods that may disclose your browsing activities even when using encrypted DNS:
 
 ### IP Address
+
 The simplest way to determine browsing activity might be to look at the IP addresses your devices are accessing. For example, if the observer knows that `privacyguides.org` is at `198.98.54.105`, and your device is requesting data from `198.98.54.105`, there is a good chance you're visiting Privacy Guides.
 
 This method is only useful when the IP address belongs to a server that only hosts few websites. It's also not very useful if the site is hosted on a shared platform, (e.g. Github Pages, Cloudflare Pages, Netlify, Wordpress, Blogger, etc). It also isn't very useful if the server is hosted behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy), which is very common on the modern Internet.
 
 ### Server Name Indication (SNI)
+
 Server Name Indication is typically used when a IP address hosts many websites. This could be a service like Cloudflare, or some other [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack) protection.
 
 1. Start capturing again with `tshark`. We've added a filter with our IP address so you don't capture many packets:
-   ```
+
+   ```bash
    tshark -w /tmp/pg.pcap port 443 and host 198.98.54.105
    ```
 
@@ -133,13 +148,16 @@ Server Name Indication is typically used when a IP address hosts many websites.
 3. After visiting the website, we what to stop the packet capture with <kbd>CTRL</kbd> + <kbd>C</kbd>.
 
 4. Next we want to analyze the results:
-   ```
+
+   ```bash
    wireshark -r /tmp/pg.pcap
    ```
+
    We will see the [connection establishment](https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment), followed by the [TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) for the Privacy Guides website. Around frame 5. you'll see a "Client Hello".
 
 5. Expand the triangle &#9656; next to each field:
-   ```
+
+   ```text
    ▸ Transport Layer Security
      ▸ TLSv1.3 Record Layer: Handshake Protocol: Client Hello
        ▸ Handshake Protocol: Client Hello
@@ -148,7 +166,8 @@ Server Name Indication is typically used when a IP address hosts many websites.
    ```
 
 6. We can see the [Server Name Indication (SNI)](https://en.wikipedia.org/wiki/Server_Name_Indication) value which discloses the website we are visiting. The `tshark` command can give you the value directly for all packets containing a SNI value:
-   ```
+
+   ```bash
    tshark -r /tmp/pg.pcap -Tfields -Y tls.handshake.extensions_server_name -e tls.handshake.extensions_server_name
    ```
 
@@ -157,6 +176,7 @@ This means even if we are using "Encrypted DNS" servers, the domain will likely
 Governments, in particular [China](https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/) and [Russia](https://www.zdnet.com/article/russia-wants-to-ban-the-use-of-secure-protocols-such-as-tls-1-3-doh-dot-esni/), have either already [started blocking](https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypted_Client_Hello) it or expressed a desire to do so. Recently, Russia has [started blocking foreign websites](https://github.com/net4people/bbs/issues/108) that use the [HTTP/3](https://en.wikipedia.org/wiki/HTTP/3) standard. This is because the [QUIC](https://en.wikipedia.org/wiki/QUIC) protocol that is a part of HTTP/3 requires that `ClientHello` also be encrypted.
 
 ### Online Certificate Status Protocol (OCSP)
+
 Another way your browser can disclose your browsing activities is with the [Online Certificate Status Protocol](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol). When visiting a [HTTPS](https://en.wikipedia.org/wiki/HTTPS) website, the browser might check to see if the [X.509](https://en.wikipedia.org/wiki/X.509) [certificate](https://en.wikipedia.org/wiki/Public_key_certificate) has been [revoked](https://en.wikipedia.org/wiki/Certificate_revocation_list). This is generally done through the [HTTP](https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol) protocol, meaning it is **not** encrypted.
 
 The OCSP request contains the certificate "[serial number](https://en.wikipedia.org/wiki/Public_key_certificate#Common_fields)", which is unique. It is sent to the "OCSP responder" in order to check its status.
@@ -164,40 +184,49 @@ The OCSP request contains the certificate "[serial number](https://en.wikipedia.
 We can simulate what a browser would do using the [`openssl`](https://en.wikipedia.org/wiki/OpenSSL) command.
 
 1. Get the server certificate and use [`sed`](https://en.wikipedia.org/wiki/Sed) to keep just the important part and write it out to a file:
-   ```
+
+   ```bash
    openssl s_client -connect privacyguides.org:443 < /dev/null 2>&1 |
        sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_server.cert
    ```
 
 2. Get the intermediate certificate. [Certificate Authorities (CA)](https://en.wikipedia.org/wiki/Certificate_authority) normally don't sign a certificate directly; they use what is known as an "intermediate" certificate.
-   ```
+
+   ```bash
    openssl s_client -showcerts -connect privacyguides.org:443 < /dev/null 2>&1 |
        sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_and_intermediate.cert
    ```
 
 3. The first certificate in `pg_and_intermediate.cert` is actually the server certificate from step 1. We can use `sed` again to delete until the first instance of END:
-   ```
+
+   ```bash
    sed -n '/^-*END CERTIFICATE-*$/!d;:a n;p;ba' \
        /tmp/pg_and_intermediate.cert > /tmp/intermediate_chain.cert
    ```
 
 4. Get the OCSP responder for the server certificate:
-   ```
+
+   ```bash
    openssl x509 -noout -ocsp_uri -in /tmp/pg_server.cert
    ```
+
    If we want to see all the details of the certificate we can use:
-   ```
+
+   ```bash
    openssl x509 -text -noout -in /tmp/pg_server.cert
    ```
+
    Our certificate shows the Lets Encrypt certificate responder.
 
 5. Start the packet capture:
-   ```
+
+   ```bash
    tshark -w /tmp/pg_ocsp.pcap -f "tcp port http"
    ```
 
 6. Make the OCSP request:
-   ```
+
+   ```bash
    openssl ocsp -issuer /tmp/intermediate_chain.cert \
                 -cert /tmp/pg_server.cert \
                 -text \
@@ -205,11 +234,14 @@ We can simulate what a browser would do using the [`openssl`](https://en.wikiped
    ```
 
 7. Open the capture:
-   ```
+
+   ```bash
    wireshark -r /tmp/pg_ocsp.pcap
    ```
+
    There will be two packets with the "OCSP" protocol; a "Request" and a "Response". For the "Request" we can see the "serial number" by expanding the triangle &#9656; next to each field:
-   ```
+
+   ```bash
    ▸ Online Certificate Status Protocol
      ▸ tbsRequest
        ▸ requestList: 1 item
@@ -217,8 +249,10 @@ We can simulate what a browser would do using the [`openssl`](https://en.wikiped
            ▸ reqCert
              serialNumber
    ```
+
    For the "Response" we can also see the "serial number":
-   ```
+
+   ```bash
    ▸ Online Certificate Status Protocol
      ▸ responseBytes
        ▸ BasicOCSPResponse
@@ -229,14 +263,16 @@ We can simulate what a browser would do using the [`openssl`](https://en.wikiped
                  serialNumber
    ```
 
-7. Or use `tshark` to filter the packets for the Serial Number:
-   ```
+8. Or use `tshark` to filter the packets for the Serial Number:
+
+   ```bash
    tshark -r /tmp/pg_ocsp.pcap -Tfields -Y ocsp.serialNumber -e ocsp.serialNumber
    ```
 
 If the network observer has the public certificate, which is publicly available, they can match the serial number with that certificate and therefore determine the site you're visiting from that. The process can be automated and can associate IP addresses with serial numbers. It is also possible to check [Certificate Transparency](https://en.wikipedia.org/wiki/Certificate_Transparency) logs for the serial number.
 
 ## Why should I use encrypted DNS?
+
 You should only use DNS if your [threat model](/threat-modeling/) doesn't require you to hide any of your browsing activity. Encrypted DNS should only be used to get around basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences.
 
 Encrypted DNS can also help if your ISP obnoxiously redirects you to other websites. These are our recommendations for servers:
@@ -263,14 +299,17 @@ The criteria for servers for this table are:
 - [QNAME Minimization](/dns/#what-is-qname-minimization)
 
 ## What is DNSSEC and when is it used?
+
 [Domain Name System Security Extensions (DNSSEC)](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) is used to provide authenticity to the records being fetched from upstream DNS servers. It doesn't provide confidentiality, for that we use one of the [encrypted DNS](/dns#what-is-encrypted-dns) protocols discussed above.
 
 ## What is QNAME minimization?
+
 A QNAME is a "qualified name", for example `privacyguides.org`. QNAME minimisation reduces the amount of information sent from the DNS server to the [authoritative name server](https://en.wikipedia.org/wiki/Name_server#Authoritative_name_server).
 
 Instead of sending the whole domain `privacyguides.org`, QNAME minimization means the DNS server will ask for all the records that end in `.org`. Further technical description is defined in [RFC 7816](https://datatracker.ietf.org/doc/html/rfc7816).
 
 ## What is EDNS Client Subnet (ECS)?
+
 The [EDNS Client Subnet](https://en.wikipedia.org/wiki/EDNS_Client_Subnet) is a method for a recursive DNS resolver to specify a [subnetwork](https://en.wikipedia.org/wiki/Subnetwork) for the [host or client](https://en.wikipedia.org/wiki/Client_(computing)) which is making the DNS query.
 
 It's intended to "speed up" delivery of data by giving the client an answer that belongs to a server that is close to them such as a [content delivery network (CDN)](https://en.wikipedia.org/wiki/Content_delivery_network), which are often used in video streaming and serving JavaScript web apps.
@@ -280,33 +319,39 @@ This feature does come at a privacy cost, as it tells the DNS server some inform
 ## Native Operating System Support
 
 ### Android
+
 Android 9 and above support DNS over TLS. Android 13 will support DNS over HTTPS. The settings can be found in: *Settings* &rarr; *Network & Internet* &rarr; *Private DNS*.
 
 ### Apple Devices
+
 The latest versions of iOS, iPadOS, tvOS, and macOS, support both DoT and DoH. Both protocols are supported natively via [configuration profiles](https://support.apple.com/guide/security/configuration-profile-enforcement-secf6fb9f053/web) or through the [DNS Settings API](https://developer.apple.com/documentation/networkextension/dns_settings).
 
 After installation of either a configuration profile or an app that utilizes the DNS Settings API, the DNS configuration can be selected. If a VPN is active, resolution within the VPN tunnel will use the VPN's DNS settings and not your system-wide settings.
 
- - **iOS/iPadOS:** *Settings &rarr; General &rarr; VPN, DNS, & Device Management &rarr; DNS*
- - **macOS:** *System Preferences &rarr; Profiles* & *System Preferences &rarr; Network*
- - **tvOS:** *Settings &rarr; General &rarr; Privacy &rarr;* hover on "*Share Apple TV Analytics*" &rarr; press the play button on the remote
+- **iOS/iPadOS:** *Settings &rarr; General &rarr; VPN, DNS, & Device Management &rarr; DNS*
+- **macOS:** *System Preferences &rarr; Profiles* & *System Preferences &rarr; Network*
+- **tvOS:** *Settings &rarr; General &rarr; Privacy &rarr;* hover on "*Share Apple TV Analytics*" &rarr; press the play button on the remote
 
 Apple does not provide a native interface for creating encrypted DNS profiles. [Secure DNS profile creator](https://dns.notjakob.com/tool.html) is an unofficial tool for creating your own encrypted DNS profiles, however they will not be signed. Signed profiles are preferred; signing validates a profile's origin and helps to ensure the integrity of the profiles. A green "Verified" label is given to signed configuration profiles. For more information on code signing, see [About Code Signing](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html).
 
- * **Signed profiles** are offered by [AdGuard](https://adguard.com/en/blog/encrypted-dns-ios-14.html), [ControlD](https://kb.controld.com/en/tutorials), [NextDNS](https://apple.nextdns.io), [Quad9](https://www.quad9.net/news/blog/ios-mobile-provisioning-profiles/).
+- **Signed profiles** are offered by [AdGuard](https://adguard.com/en/blog/encrypted-dns-ios-14.html), [ControlD](https://kb.controld.com/en/tutorials), [NextDNS](https://apple.nextdns.io), [Quad9](https://www.quad9.net/news/blog/ios-mobile-provisioning-profiles/).
 
 ### Windows
+
 Windows users can [turn on DoH](https://docs.microsoft.com/en-us/windows-server/networking/dns/doh-client-support) by accessing Windows settings in the control panel.
 
 Select *Settings* &rarr; *Network & Internet* &rarr; *Ethernet* or *WiFi*, &rarr; *Edit DNS Settings* &rarr; Preferred DNS encryption &rarr; *Encrypted only (DNS over HTTPS)*.
 
 ### Linux
+
 `systemd-resolved` doesn't yet [support DoH](https://github.com/systemd/systemd/issues/8639), which many Linux distributions use to do their DNS lookups. If you want to use DoH, you'll need to install a proxy like [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy) and [configure it](https://wiki.archlinux.org/title/Dnscrypt-proxy) to take all the DNS queries from your system resolver and forward them over HTTPS.
 
 ## Encrypted DNS Proxies
+
 Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](/dns/#unencrypted-dns) resolver to forward to. Typically it is used on platforms that don't natively support [encrypted DNS](/dns/#what-is-encrypted-dns).
 
 ### RethinkDNS
+
 !!! recommendation
 
     ![RethinkDNS logo](/assets/img/android/rethinkdns.svg#only-light){ align=right }
@@ -322,6 +367,7 @@ Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](/d
     - [:fontawesome-brands-github: Source](https://github.com/celzero/rethink-app)
 
 ### DNSCloak
+
 !!! recommendation
 
     ![DNSCloak logo](/assets/img/ios/dnscloak.png){ align=right }
@@ -335,6 +381,7 @@ Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](/d
     - [:fontawesome-brands-github: Source](https://github.com/s-s/dnscloak)
 
 ### dnscrypt-proxy
+
 !!! recommendation
 
     ![dnscrypt-proxy logo](/assets/img/dns/dnscrypt-proxy.svg){ align=right }

docs/email-clients.md

@@ -12,6 +12,7 @@ Discover free, open-source, and secure email clients, along with some email alte
     [Real-time Communication](/real-time-communication){ .md-button .md-button--primary }
 
 ### Thunderbird
+
 !!! recommendation
 
     ![Thunderbird logo](/assets/img/email-clients/thunderbird.svg){ align=right }
@@ -28,6 +29,7 @@ Discover free, open-source, and secure email clients, along with some email alte
     - [:fontawesome-brands-git: Source](https://hg.mozilla.org/comm-central)
 
 ### GNOME Evolution
+
 !!! recommendation
 
     ![Evolution logo](/assets/img/email-clients/evolution.svg){ align=right }
@@ -41,6 +43,7 @@ Discover free, open-source, and secure email clients, along with some email alte
     - [:fontawesome-brands-gitlab: Source](https://gitlab.gnome.org/GNOME/evolution)
 
 ### Kontact
+
 !!! recommendation
 
     ![Kontact logo](/assets/img/email-clients/kontact.svg){ align=right }
@@ -55,6 +58,7 @@ Discover free, open-source, and secure email clients, along with some email alte
     - [:fontawesome-brands-git: Source](https://invent.kde.org/pim/kmail)
 
 ### Mailvelope
+
 !!! recommendation
 
     ![Mailvelope logo](/assets/img/email-clients/mailvelope.svg){ align=right }
@@ -69,8 +73,8 @@ Discover free, open-source, and secure email clients, along with some email alte
     - [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/mailvelope/dgcbddhdhjppfdfjpciagmmibadmoapc)
     - [:fontawesome-brands-github: Source](https://github.com/mailvelope/mailvelope)
 
-
 ### K-9 Mail
+
 !!! recommendation
 
     ![K-9 Mail logo](/assets/img/email-clients/k9mail.svg){ align=right }
@@ -85,6 +89,7 @@ Discover free, open-source, and secure email clients, along with some email alte
     - [:fontawesome-brands-github: Source](https://github.com/k9mail)
 
 ### FairEmail
+
 !!! recommendation
 
     ![FairEmail logo](/assets/img/email-clients/fairemail.svg){ align=right }
@@ -99,6 +104,7 @@ Discover free, open-source, and secure email clients, along with some email alte
     - [:fontawesome-brands-github: Source](https://github.com/M66B/FairEmail)
 
 ### Canary Mail
+
 !!! recommendation
 
     ![Canary Mail logo](/assets/img/email-clients/canarymail.svg){ align=right }
@@ -120,6 +126,7 @@ Discover free, open-source, and secure email clients, along with some email alte
     - [:fontawesome-brands-windows: Windows](https://download.canarymail.io/get_windows)
 
 ### Neomutt
+
 !!! recommendation
 
     ![Neomutt logo](/assets/img/email-clients/mutt.svg){ align=right }

docs/email.md

@@ -301,12 +301,12 @@ Operating outside the five/nine/fourteen-eyes countries is not necessarily a gua
 
 **Minimum to Qualify:**
 
--   Operating outside the USA or other Five Eyes countries.
+- Operating outside the USA or other Five Eyes countries.
 
 **Best Case:**
 
--   Operating outside the USA or other Fourteen Eyes countries.
--   Operating inside a country with strong consumer protection laws.
+- Operating outside the USA or other Fourteen Eyes countries.
+- Operating inside a country with strong consumer protection laws.
 
 ### Technology
 
@@ -314,20 +314,20 @@ We regard these features as important in order to provide a safe and optimal ser
 
 **Minimum to Qualify:**
 
--   Encrypts account data at rest.
--   Integrated webmail encryption provides convenience to users who want improve on having no [E2EE](https://en.wikipedia.org/wiki/End-to-end_encryption) encryption.
+- Encrypts account data at rest.
+- Integrated webmail encryption provides convenience to users who want improve on having no [E2EE](https://en.wikipedia.org/wiki/End-to-end_encryption) encryption.
 
 **Best Case:**
 
--   Encrypts account data at rest with zero-access encryption.
--   Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad, be acquired by another company which doesn't prioritize privacy etc.
--   Support for [WKD](https://wiki.gnupg.org/WKD) to allow improved discovery of public OpenPGP keys via HTTP.  
+- Encrypts account data at rest with zero-access encryption.
+- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad, be acquired by another company which doesn't prioritize privacy etc.
+- Support for [WKD](https://wiki.gnupg.org/WKD) to allow improved discovery of public OpenPGP keys via HTTP.  
     GnuPG users can get a key by typing: `gpg --locate-key example_user@example.com`
--   Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP.
--   Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion).
--   [Subaddressing](https://en.wikipedia.org/wiki/Email_address#Subaddressing) support.
--   [Catch all](https://en.wikipedia.org/wiki/Email_filtering) or [aliases](https://en.wikipedia.org/wiki/Email_alias) for users who own their own domains.
--   Use of standard email access protocols such as [IMAP](https://en.wikipedia.org/wiki/Internet_Message_Access_Protocol), [SMTP](https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol) or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider.
+- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP.
+- Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion).
+- [Subaddressing](https://en.wikipedia.org/wiki/Email_address#Subaddressing) support.
+- [Catch all](https://en.wikipedia.org/wiki/Email_filtering) or [aliases](https://en.wikipedia.org/wiki/Email_alias) for users who own their own domains.
+- Use of standard email access protocols such as [IMAP](https://en.wikipedia.org/wiki/Internet_Message_Access_Protocol), [SMTP](https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol) or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider.
 
 ### Privacy
 
@@ -335,13 +335,13 @@ We prefer our recommended providers to collect as little data as possible.
 
 **Minimum to Qualify:**
 
--   Protect sender's IP address. Filter it from showing in the `Received` header field.
--   Don't require personally identifiable information (PII) besides username and password.
--   Privacy policy that meets the requirements defined by the GDPR
+- Protect sender's IP address. Filter it from showing in the `Received` header field.
+- Don't require personally identifiable information (PII) besides username and password.
+- Privacy policy that meets the requirements defined by the GDPR
 
 **Best Case:**
 
--   Accepts Bitcoin, cash, and other forms of cryptocurrency and/or anonymous payment options (gift cards, etc.)
+- Accepts Bitcoin, cash, and other forms of cryptocurrency and/or anonymous payment options (gift cards, etc.)
 
 ### Security
 
@@ -349,32 +349,32 @@ Email servers deal with a lot of very sensitive data. We expect that providers w
 
 **Minimum to Qualify:**
 
--   Protection of webmail with [two-factor authentication (2FA)](https://en.wikipedia.org/wiki/Multi-factor_authentication), such as [TOTP](https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm).
--   Encryption at rest, (e.g. [dm-crypt](https://en.wikipedia.org/wiki/dm-crypt)) this protects the contents of the servers in case of unlawful seizure.
--   [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) support.
--   No [TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) errors/vulnerabilities when being profiled by tools such as [Hardenize](https://www.hardenize.com), [testssl.sh](https://testssl.sh) or [Qualys SSL Labs](https://www.ssllabs.com/ssltest), this includes certificate related errors, poor or weak ciphers suites, weak DH parameters such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)).
--   A valid [MTA-STS](https://tools.ietf.org/html/rfc8461) and [TLS-RPT](https://tools.ietf.org/html/rfc8460) policy.
--   Valid [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records.
--   Valid [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records.
--   Have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or utilize [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`.
--   A server suite preference of TLS 1.2 or later and a plan for [Deprecating TLSv1.0 and TLSv1.1](https://datatracker.ietf.org/doc/draft-ietf-tls-oldversions-deprecate/).
--   [SMTPS](https://en.wikipedia.org/wiki/SMTPS) submission, assuming SMTP is used.
--   Website security standards such as:
+- Protection of webmail with [two-factor authentication (2FA)](https://en.wikipedia.org/wiki/Multi-factor_authentication), such as [TOTP](https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm).
+- Encryption at rest, (e.g. [dm-crypt](https://en.wikipedia.org/wiki/dm-crypt)) this protects the contents of the servers in case of unlawful seizure.
+- [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) support.
+- No [TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) errors/vulnerabilities when being profiled by tools such as [Hardenize](https://www.hardenize.com), [testssl.sh](https://testssl.sh) or [Qualys SSL Labs](https://www.ssllabs.com/ssltest), this includes certificate related errors, poor or weak ciphers suites, weak DH parameters such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)).
+- A valid [MTA-STS](https://tools.ietf.org/html/rfc8461) and [TLS-RPT](https://tools.ietf.org/html/rfc8460) policy.
+- Valid [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records.
+- Valid [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records.
+- Have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or utilize [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`.
+- A server suite preference of TLS 1.2 or later and a plan for [Deprecating TLSv1.0 and TLSv1.1](https://datatracker.ietf.org/doc/draft-ietf-tls-oldversions-deprecate/).
+- [SMTPS](https://en.wikipedia.org/wiki/SMTPS) submission, assuming SMTP is used.
+- Website security standards such as:
 
--   [HTTP Strict Transport Security](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security)
--   [Subresource Integrity](https://en.wikipedia.org/wiki/Subresource_Integrity) if loading things from external domains.
+- [HTTP Strict Transport Security](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security)
+- [Subresource Integrity](https://en.wikipedia.org/wiki/Subresource_Integrity) if loading things from external domains.
 
 **Best Case:**
 
--   Support for hardware authentication, ie [U2F](https://en.wikipedia.org/wiki/Universal_2nd_Factor) and [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). U2F and WebAuthn are more secure as they use a private key stored on a client-side hardware device to authenticate users, as opposed to a shared secret that is stored on the web server and on the client side when using TOTP. Furthermore, U2F and WebAuthn are more resistant to phishing as their authentication response is based on the authenticated [domain name](https://en.wikipedia.org/wiki/Domain_name).
--   Zero access encryption, builds on encryption at rest. The difference being the provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server.
--   [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in addition to DANE support.
--   Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), this is useful for users who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617).
--   Bug-bounty programs and/or a coordinated vulnerability-disclosure process.
--   Website security standards such as:
+- Support for hardware authentication, ie [U2F](https://en.wikipedia.org/wiki/Universal_2nd_Factor) and [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). U2F and WebAuthn are more secure as they use a private key stored on a client-side hardware device to authenticate users, as opposed to a shared secret that is stored on the web server and on the client side when using TOTP. Furthermore, U2F and WebAuthn are more resistant to phishing as their authentication response is based on the authenticated [domain name](https://en.wikipedia.org/wiki/Domain_name).
+- Zero access encryption, builds on encryption at rest. The difference being the provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server.
+- [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in addition to DANE support.
+- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), this is useful for users who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617).
+- Bug-bounty programs and/or a coordinated vulnerability-disclosure process.
+- Website security standards such as:
 
--   [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy)
--   [Expect-CT](https://datatracker.ietf.org/doc/draft-ietf-httpbis-expect-ct)
+- [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy)
+- [Expect-CT](https://datatracker.ietf.org/doc/draft-ietf-httpbis-expect-ct)
 
 ### Trust
 
@@ -382,12 +382,12 @@ You wouldn't trust your finances to someone with a fake identity, so why trust t
 
 **Minimum to Qualify:**
 
--   Public-facing leadership or ownership.
+- Public-facing leadership or ownership.
 
 **Best Case:**
 
--   Public-facing leadership.
--   Frequent transparency reports.
+- Public-facing leadership.
+- Frequent transparency reports.
 
 ### Marketing
 
@@ -395,19 +395,19 @@ With the email providers we recommend we like to see responsible marketing.
 
 **Minimum to Qualify:**
 
--   Must self host analytics (no Google Analytics etc). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for those users who want to opt-out.
+- Must self host analytics (no Google Analytics etc). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for those users who want to opt-out.
 
 Must not have any marketing which is irresponsible:
 
--   Claims of "unbreakable encryption". Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it.
--   Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know users can quite easily deanonymize themselves in a number of ways, e.g.:
+- Claims of "unbreakable encryption". Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it.
+- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know users can quite easily deanonymize themselves in a number of ways, e.g.:
 
--   Reusing personal information e.g. (email accounts, unique pseudonyms etc) that they accessed without anonymity software (Tor, VPN etc)
--   [Browser fingerprinting](https://privacyguides.org/browsers/#fingerprint)
+- Reusing personal information e.g. (email accounts, unique pseudonyms etc) that they accessed without anonymity software (Tor, VPN etc)
+- [Browser fingerprinting](https://privacyguides.org/browsers/#fingerprint)
 
 **Best Case:**
 
--   Clear and easy to read documentation. This includes things like, setting up 2FA, email clients, OpenPGP, etc.
+- Clear and easy to read documentation. This includes things like, setting up 2FA, email clients, OpenPGP, etc.
 
 ### Additional Functionality
 
@@ -494,14 +494,13 @@ Advanced users may consider setting up their own email server. Mailservers requi
 
     **[Mailcow](https://mailcow.email)** is a more advanced mail server perfect for those with a bit more Linux experience. It has everything you need in a Docker container: A mailserver with DKIM support, antivirus and spam monitoring, webmail and ActiveSync with SOGo, and web-based administration with 2FA support. **[Mailcow Dockerized docs](https://mailcow.github.io/mailcow-dockerized-docs/)**
 
-
 For a more manual approach we've picked out these two articles.
 
--   [Setting up a mail server with OpenSMTPD, Dovecot and Rspamd](https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/) (2019)
--   [How To Run Your Own Mail Server](https://www.c0ffee.net/blog/mail-server-guide/) (August 2017)
+- [Setting up a mail server with OpenSMTPD, Dovecot and Rspamd](https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/) (2019)
+- [How To Run Your Own Mail Server](https://www.c0ffee.net/blog/mail-server-guide/) (August 2017)
 
 ## Additional Reading
 
--   [An NFC PGP SmartCard For Android](https://www.grepular.com/An_NFC_PGP_SmartCard_For_Android)
--   [Aging 'Privacy' Law Leaves Cloud E-Mail Open to Cops (2011)](https://www.wired.com/2011/10/ecpa-turns-twenty-five/)
--   [The Government Can (Still) Read Most Of Your Emails Without A Warrant (2013)](https://thinkprogress.org/the-government-can-still-read-most-of-your-emails-without-a-warrant-322fe6defc7b/)
+- [An NFC PGP SmartCard For Android](https://www.grepular.com/An_NFC_PGP_SmartCard_For_Android)
+- [Aging 'Privacy' Law Leaves Cloud E-Mail Open to Cops (2011)](https://www.wired.com/2011/10/ecpa-turns-twenty-five/)
+- [The Government Can (Still) Read Most Of Your Emails Without A Warrant (2013)](https://thinkprogress.org/the-government-can-still-read-most-of-your-emails-without-a-warrant-322fe6defc7b/)

docs/encryption.md

@@ -5,9 +5,11 @@ icon: material/file-lock
 Encryption of data is the only way to control who can access it. If you are currently not using encryption software for your hard disk, emails, or files, you should pick an option here.
 
 ## Multi-platform
+
 The options listed here are multi-platform and great for creating encrypted backups of your data.
 
 ### VeraCrypt
+
 !!! recommendation
 
     ![VeraCrypt logo](/assets/img/encryption-software/veracrypt.svg#only-light){ align=right }
@@ -29,6 +31,7 @@ The options listed here are multi-platform and great for creating encrypted back
     - [:fontawesome-brands-git: Source](https://www.veracrypt.fr/code)
 
 ### GNU Privacy Guard
+
 !!! recommendation
 
     ![GNU Privacy Guard logo](/assets/img/encryption-software/gnupg.svg){ align=right }
@@ -54,6 +57,7 @@ The options listed here are multi-platform and great for creating encrypted back
     - [:fontawesome-brands-git: Source](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git)
 
 ### Cryptomator
+
 !!! recommendation
 
     ![Cryptomator logo](/assets/img/encryption-software/cryptomator.svg){ align=right }
@@ -75,6 +79,7 @@ The options listed here are multi-platform and great for creating encrypted back
     - [:fontawesome-brands-github: Source](https://github.com/cryptomator)
 
 ### Picocrypt
+
 !!! recommendation
 
     ![Picocrypt logo](/assets/img/encryption-software/picocrypt.svg){ align=right }
@@ -90,9 +95,11 @@ The options listed here are multi-platform and great for creating encrypted back
     - [:fontawesome-brands-github: Source](https://github.com/HACKERALERT/Picocrypt)
 
 ## Operating system included Full Disk Encryption (FDE)
+
 Modern operating systems include [disk encryption](https://en.wikipedia.org/wiki/Disk_encryption) and will utilize a [secure cryptoprocessor](https://en.wikipedia.org/wiki/Secure_cryptoprocessor).
 
 ### BitLocker
+
 !!! recommendation
 
     ![BitLocker logo](/assets/img/encryption-software/bitlocker.png){ align=right }
@@ -137,6 +144,7 @@ Modern operating systems include [disk encryption](https://en.wikipedia.org/wiki
     [Visit microsoft.com](https://docs.microsoft.com/en-us/windows/security/information-protection/BitLocker/BitLocker-overview){ .md-button .md-button--primary }
 
 ### FileVault
+
 !!! recommendation
 
     ![FileVault logo](/assets/img/encryption-software/filevault.png){ align=right }
@@ -146,6 +154,7 @@ Modern operating systems include [disk encryption](https://en.wikipedia.org/wiki
     [Visit support.apple.com](https://support.apple.com/en-us/HT204837){ .md-button .md-button--primary }
 
 ### Linux Unified Key Setup (LUKS)
+
 !!! recommendation
 
     ![LUKS logo](/assets/img/encryption-software/luks.png){ align=right }
@@ -175,9 +184,11 @@ Modern operating systems include [disk encryption](https://en.wikipedia.org/wiki
     [Visit gitlab.com](https://gitlab.com/cryptsetup/cryptsetup){ .md-button .md-button--primary }
 
 ## Browser-based
+
 Browser-based encryption can be useful when you need to encrypt a file but cannot install software or apps on your device.
 
 ### hat.sh
+
 !!! recommendation
 
     ![hat.sh logo](/assets/img/encryption-software/hat-sh.png#only-light){ align=right }
@@ -191,9 +202,11 @@ Browser-based encryption can be useful when you need to encrypt a file but canno
     - [:fontawesome-brands-github: Source](https://github.com/sh-dv/hat.sh)
 
 ## Command-line
+
 Tools with command-line interfaces are useful for intergrating [shell scripts](https://en.wikipedia.org/wiki/Shell_script).
 
 ### Kryptor
+
 !!! recommendation
 
     ![Kryptor logo](/assets/img/encryption-software/kryptor.png){ align=right }
@@ -209,6 +222,7 @@ Tools with command-line interfaces are useful for intergrating [shell scripts](h
     - [:fontawesome-brands-github: Source](https://github.com/samuel-lucas6/Kryptor)
 
 ### Tomb
+
 !!! recommendation
 
     ![Tomb logo](/assets/img/encryption-software/tomb.png){ align=right }

docs/file-sharing.md

@@ -7,6 +7,7 @@ Discover how to privately share your files between your devices, with your frien
 ## File Sharing
 
 ### OnionShare
+
 !!! recommendation
 
     ![OnionShare logo](/assets/img/file-sharing-sync/onionshare.svg){ align=right }
@@ -22,6 +23,7 @@ Discover how to privately share your files between your devices, with your frien
     - [:fontawesome-brands-github: Source](https://github.com/onionshare/onionshare)
 
 ### Magic Wormhole
+
 !!! recommendation
 
     ![Magic Wormhole logo](/assets/img/file-sharing-sync/magic_wormhole.png){ align=right }
@@ -36,8 +38,8 @@ Discover how to privately share your files between your devices, with your frien
     - [:fontawesome-brands-linux: Linux](https://magic-wormhole.readthedocs.io/en/latest/welcome.html#installation)
     - [:fontawesome-brands-github: Source](https://github.com/magic-wormhole/magic-wormhole)
 
-
 ### croc
+
 !!! recommendation
 
     ![croc logo](/assets/img/file-sharing-sync/croc.jpg){ align=right }
@@ -53,6 +55,7 @@ Discover how to privately share your files between your devices, with your frien
     - [:fontawesome-brands-github: Source](https://github.com/schollz/croc)
 
 ## FreedomBox
+
 !!! recommendation
 
     ![FreedomBox logo](/assets/img/file-sharing-sync/freedombox.svg){ align=right }
@@ -67,6 +70,7 @@ Discover how to privately share your files between your devices, with your frien
 ## File Sync
 
 ### Syncthing
+
 !!! recommendation
 
     ![Syncthing logo](/assets/img/file-sharing-sync/syncthing.svg){ align=right }
@@ -82,6 +86,7 @@ Discover how to privately share your files between your devices, with your frien
     - [:fontawesome-brands-github: Source](https://github.com/syncthing)
 
 ### git-annex
+
 !!! recommendation
 
     ![git-annex logo](/assets/img/file-sharing-sync/gitannex.svg){ align=right }

docs/index.md

@@ -4,7 +4,7 @@ hide:
   - navigation
   - toc
 ---
-
+<!-- markdownlint-disable-next-line -->
 <div style="max-width:50rem;margin:auto;" markdown>
 <div style="max-width:38rem;" markdown>
 ## Why should I care?
@@ -19,7 +19,7 @@ You shouldn't confuse privacy with secrecy. We know what happens in the bathroom
 <div style="margin-left:auto;margin-right:0;text-align:right;max-width:38rem;" markdown>
 ## What should I do?
 
-##### First, you need to make a plan.
+##### First, you need to make a plan
 
 Trying to protect all your data from everyone all the time is impractical, expensive, and exhausting. But don't worry! Security is a process, and by thinking ahead you can put together a plan that's right for you. Security isn't just about the tools you use or the software you download. Rather, it begins with understanding the unique threats you face, and how you can counter them.
 

docs/linux-desktop.md

@@ -1,7 +1,7 @@
 ---
+title: Linux
 icon: fontawesome/brands/linux
 ---
-
 Linux distributions are commonly recommended for privacy protection and user freedom. Below are some suggestions with some general privacy and security improvements.
 
 ## Traditional Distributions
@@ -80,13 +80,13 @@ As an alternative to Flatpaks, there is the option of [Toolbox](https://docs.fed
 
 NixOS’s package manager keeps every version of every package in a different folder in the **Nix store**. Due to this you can have different versions of the same package installed on your system. After the package contents have been written to the folder, the folder is made read-only.
 
-NixOS also provides atomic updates; first it downloads (or builds) the packages and files for the new system generation and then switches to it. There are different ways to switch to a new generation; you can tell NixOS to activate it after reboot or you can switch to it at runtime. You can also _test_ the new generation by switching to it at runtime, but not setting it as the current system generation. If something in the update process breaks, you can just reboot and automatically and return to a working version of your system.
+NixOS also provides atomic updates; first it downloads (or builds) the packages and files for the new system generation and then switches to it. There are different ways to switch to a new generation; you can tell NixOS to activate it after reboot or you can switch to it at runtime. You can also *test* the new generation by switching to it at runtime, but not setting it as the current system generation. If something in the update process breaks, you can just reboot and automatically and return to a working version of your system.
 
 Nix the package manager uses a purely functional language - which is also called Nix - to define packages.
 
 [Nixpkgs](https://github.com/nixos/nixpkgs) (the main source of packages) are contained in a single Github repository. You can also define your own packages in the same language and then easily include them in your config.
 
-Nix is a source-based package manager; if there’s no pre-built available in the binary cache, Nix will just build the package from source using its definition. It builds each package in a sandboxed _pure_ environment, which is as independent of the host system as possible, thus making binaries reproducible.
+Nix is a source-based package manager; if there’s no pre-built available in the binary cache, Nix will just build the package from source using its definition. It builds each package in a sandboxed *pure* environment, which is as independent of the host system as possible, thus making binaries reproducible.
 
 ## Anonymity-Focused Distributions
 
@@ -128,15 +128,15 @@ It is often believed that [open source](https://en.wikipedia.org/wiki/Open-sourc
 
 At the moment, desktop GNU/Linux does have some areas that could be better improved when compared to their proprietary counterparts, e.g:
 
--   A verified boot chain, unlike Apple’s [Secure Boot](https://support.apple.com/guide/security/startup-security-utility-secc7b34e5b5/web) (with [Secure Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1)), Android’s [Verified Boot](https://source.android.com/security/verifiedboot) or Microsoft Windows’s [boot process](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process) with [TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). These features and hardware technologies can all help prevent persistent tampering by malware or [evil maid attacks](https://en.wikipedia.org/wiki/Evil_Maid_attack)
--   Strong sandboxing solution such as that found in [MacOS](https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html), [ChromeOS](https://chromium.googlesource.com/chromiumos/docs/+/HEAD/sandboxing.md), and [Android](https://source.android.com/security/app-sandbox). Commonly used Linux sandboxing solutions such as [Flatpak](https://docs.flatpak.org/en/latest/sandbox-permissions.html) and [Firejail](https://firejail.wordpress.com/) still have a long way to go
--   Strong [exploit mitigations](https://madaidans-insecurities.github.io/linux.html#exploit-mitigations)
+- A verified boot chain, unlike Apple’s [Secure Boot](https://support.apple.com/guide/security/startup-security-utility-secc7b34e5b5/web) (with [Secure Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1)), Android’s [Verified Boot](https://source.android.com/security/verifiedboot) or Microsoft Windows’s [boot process](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process) with [TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). These features and hardware technologies can all help prevent persistent tampering by malware or [evil maid attacks](https://en.wikipedia.org/wiki/Evil_Maid_attack)
+- Strong sandboxing solution such as that found in [MacOS](https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html), [ChromeOS](https://chromium.googlesource.com/chromiumos/docs/+/HEAD/sandboxing.md), and [Android](https://source.android.com/security/app-sandbox). Commonly used Linux sandboxing solutions such as [Flatpak](https://docs.flatpak.org/en/latest/sandbox-permissions.html) and [Firejail](https://firejail.wordpress.com/) still have a long way to go
+- Strong [exploit mitigations](https://madaidans-insecurities.github.io/linux.html#exploit-mitigations)
 
 Despite these drawbacks, desktop GNU/Linux distributions are great if you want to:
 
--   Avoid telemetry that often comes with proprietary operating systems
--   Maintain [software freedom](https://www.gnu.org/philosophy/free-sw.en.html#four-freedoms)
--   Have purpose built systems such as [Whonix](https://www.whonix.org) or [Tails](https://tails.boum.org/)
+- Avoid telemetry that often comes with proprietary operating systems
+- Maintain [software freedom](https://www.gnu.org/philosophy/free-sw.en.html#four-freedoms)
+- Have purpose built systems such as [Whonix](https://www.whonix.org) or [Tails](https://tails.boum.org/)
 
 This page uses the term “Linux” to describe desktop GNU/Linux distributions. Other operating systems which also use the Linux kernel such as ChromeOS, Android, and Qubes OS are not discussed here.
 
@@ -188,8 +188,8 @@ Any user using the [Arch User Repository (AUR)](https://wiki.archlinux.org/title
 
 For advanced users, we only recommend Arch Linux, not any of its derivatives. We recommend against these two Arch derivatives specifically:
 
--   **Manjaro**: This distribution holds packages back for 2 weeks to make sure that their own changes don’t break, not to make sure that upstream is stable. When AUR packages are used, they are often built against the latest [libraries](https://en.wikipedia.org/wiki/Library_(computing)) from Arch’s repositories.
--   **Garuda**: They use [Chaotic-AUR](https://aur.chaotic.cx/) which automatically and blindly compiles packages from the AUR. There is no verification process to make sure that the AUR packages don’t suffer from supply chain attacks.
+- **Manjaro**: This distribution holds packages back for 2 weeks to make sure that their own changes don’t break, not to make sure that upstream is stable. When AUR packages are used, they are often built against the latest [libraries](https://en.wikipedia.org/wiki/Library_(computing)) from Arch’s repositories.
+- **Garuda**: They use [Chaotic-AUR](https://aur.chaotic.cx/) which automatically and blindly compiles packages from the AUR. There is no verification process to make sure that the AUR packages don’t suffer from supply chain attacks.
 
 ### Linux-libre kernel and “Libre” distributions
 
@@ -241,9 +241,9 @@ There isn’t much point in randomizing the MAC address for Ethernet connections
 
 There are other system [identifiers](https://madaidans-insecurities.github.io/guides/linux-hardening.html#identifiers) which you may wish to be careful about. You should give this some thought to see if it applies to your [threat model](https://privacyguides.org/threat-modeling):
 
--   [10.1 Hostnames and usernames](https://madaidans-insecurities.github.io/guides/linux-hardening.html#hostnames)
--   [10.2 Time zones / Locales / Keymaps](https://madaidans-insecurities.github.io/guides/linux-hardening.html#timezones-locales-keymaps)
--   [10.3 Machine ID](https://madaidans-insecurities.github.io/guides/linux-hardening.html#machine-id)
+- [10.1 Hostnames and usernames](https://madaidans-insecurities.github.io/guides/linux-hardening.html#hostnames)
+- [10.2 Time zones / Locales / Keymaps](https://madaidans-insecurities.github.io/guides/linux-hardening.html#timezones-locales-keymaps)
+- [10.3 Machine ID](https://madaidans-insecurities.github.io/guides/linux-hardening.html#machine-id)
 
 ### System counting
 
@@ -265,9 +265,9 @@ Users can restrict applications further by issuing [Flatpak overrides](https://d
 
 We generally recommend revoking access to:
 
--   the Network (`share=network`) socket (internet access)
--   the PulseAudio socket (for both audio in and out), `device=all` (access to all devices including the camera)
--   `org.freedesktop.secrets` dbus (access to secrets stored on your keychain) for applications which do not need it
+- the Network (`share=network`) socket (internet access)
+- the PulseAudio socket (for both audio in and out), `device=all` (access to all devices including the camera)
+- `org.freedesktop.secrets` dbus (access to secrets stored on your keychain) for applications which do not need it
 
 If an application works natively with Wayland (and not running through the [XWayland](https://wayland.freedesktop.org/xserver.html) compatibility layer), consider revoking its access to the X11 (`socket=x11`) and [Inter-process communications (IPC)](https://en.wikipedia.org/wiki/Unix_domain_socket) socket (`share=ipc`) as well.
 
@@ -297,10 +297,10 @@ Arch and Arch-based operating systems often do not come with a mandatory access
 
 For advanced users, you can make your own AppArmor profiles, SELinux policies, Bubblewrap profiles, and [seccomp](https://en.wikipedia.org/wiki/Seccomp) blacklist to have better confinement of applications. This is quite a tedious and complicated task so we won’t go into detail about how to do it here, but we do have a few projects that you could use as reference.
 
--   Whonix’s [AppArmor Everything](https://github.com/Whonix/apparmor-profile-everything)
--   Krathalan’s [AppArmor profiles](https://github.com/krathalan/apparmor-profiles)
--   noatsecure’s [SELinux templates](https://github.com/noatsecure/hardhat-selinux-templates)
--   Seirdy’s [Bubblewrap scripts](https://sr.ht/~seirdy/bwrap-scripts)
+- Whonix’s [AppArmor Everything](https://github.com/Whonix/apparmor-profile-everything)
+- Krathalan’s [AppArmor profiles](https://github.com/krathalan/apparmor-profiles)
+- noatsecure’s [SELinux templates](https://github.com/noatsecure/hardhat-selinux-templates)
+- Seirdy’s [Bubblewrap scripts](https://sr.ht/~seirdy/bwrap-scripts)
 
 ### Securing Linux containers
 
@@ -336,9 +336,9 @@ If you are using non-classic [Snap](https://en.wikipedia.org/wiki/Snap_(package_
 
 There are some additional kernel hardening options such as configuring [sysctl](https://en.wikipedia.org/wiki/Sysctl#Linux) keys and [kernel command-line parameters](https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html) which are described in the following pages. We don’t recommend you change these options unless you learn about what they do.
 
--   [2.2 Sysctl](https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl)
--   [2.3 Boot parameters](https://madaidans-insecurities.github.io/guides/linux-hardening.html#boot-parameters)
--   [2.5 Kernel attack surface reduction](https://madaidans-insecurities.github.io/guides/linux-hardening.html#kernel-attack-surface-reduction)
+- [2.2 Sysctl](https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl)
+- [2.3 Boot parameters](https://madaidans-insecurities.github.io/guides/linux-hardening.html#boot-parameters)
+- [2.5 Kernel attack surface reduction](https://madaidans-insecurities.github.io/guides/linux-hardening.html#kernel-attack-surface-reduction)
 
 Note that setting `kernel.unprivileged_userns_clone=0` will stop Flatpak, Snap (that depend on browser-sandbox), Electron based AppImages, Podman, Docker, and LXC containers from working. Do **not** set this flag if you are using container products.
 
@@ -370,7 +370,7 @@ There is also further hardening to [PAM](https://en.wikipedia.org/wiki/Linux_PAM
 
 On Red Hat distributions you can use [`authselect`](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_authentication_and_authorization_in_rhel/configuring-user-authentication-using-authselect_configuring-authentication-and-authorization-in-rhel) to configure this e.g.:
 
-```
+```bash
 sudo authselect select <profile_id, default: sssd> with-faillock without-nullok with-pamaccess
 ```
 
@@ -388,20 +388,20 @@ Another alternative option if you’re using the [linux-hardened](https://privac
 
 For further resources on Secure Boot we suggest taking a look at the following for instructional advice:
 
--   The Archwiki’s [Secure Boot](https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot) article. There are two main methods, the first is to use a [shim](https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#shim), the second more complete way is to [use your own keys](https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Using_your_own_keys).
+- The Archwiki’s [Secure Boot](https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot) article. There are two main methods, the first is to use a [shim](https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#shim), the second more complete way is to [use your own keys](https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Using_your_own_keys).
 
 For background of how Secure Boot works on Linux:
 
--   [The Strange State of Authenticated Boot and Disk Encryption on Generic Linux Distributions](https://0pointer.net/blog/authenticated-boot-and-disk-encryption-on-linux.html)
--   [Rod Smith’s Managing EFI Boot Loaders for Linux](https://www.rodsbooks.com/efi-bootloaders/)
--   [Dealing with Secure Boot](https://www.rodsbooks.com/efi-bootloaders/secureboot.html)
--   [Controlling Secure Boot](https://www.rodsbooks.com/efi-bootloaders/controlling-sb.html)
+- [The Strange State of Authenticated Boot and Disk Encryption on Generic Linux Distributions](https://0pointer.net/blog/authenticated-boot-and-disk-encryption-on-linux.html)
+- [Rod Smith’s Managing EFI Boot Loaders for Linux](https://www.rodsbooks.com/efi-bootloaders/)
+- [Dealing with Secure Boot](https://www.rodsbooks.com/efi-bootloaders/secureboot.html)
+- [Controlling Secure Boot](https://www.rodsbooks.com/efi-bootloaders/controlling-sb.html)
 
 One of the problems with Secure Boot particularly on Linux is that only the [chainloader](https://en.wikipedia.org/wiki/Chain_loading#Chain_loading_in_boot_manager_programs) (shim), the [boot loader](https://en.wikipedia.org/wiki/Bootloader) (GRUB), and the [kernel](https://en.wikipedia.org/wiki/Kernel_(operating_system)) are verified and that’s where verification stops. The [initramfs](https://en.wikipedia.org/wiki/Initial_ramdisk) is often left unverified, unencrypted, and open up the window for an [evil maid](https://en.wikipedia.org/wiki/Evil_maid_attack) attack. There are a few things that can be done to reduce risk such as:
 
--   Creating an [EFI Boot Stub](https://docs.kernel.org/admin-guide/efi-stub.html) that contains the [kernel](https://en.wikipedia.org/wiki/Kernel_(operating_system)), [initramfs](https://en.wikipedia.org/wiki/Initial_ramdisk) and [microcode](https://en.wikipedia.org/wiki/Microcode). This EFI stub can then be signed. If you use [dracut](https://en.wikipedia.org/wiki/Dracut_(software)) this can easily be done with the [`--uefi-stub` switch](https://man7.org/linux/man-pages/man8/dracut.8.html) or the [`uefi_stub` config](https://www.man7.org/linux/man-pages/man5/dracut.conf.5.html) option.
--   [Encrypting the boot partition](https://wiki.archlinux.org/title/GRUB#Encrypted_/boot). However, this has its own issues, the first being that [GRUB](https://en.wikipedia.org/wiki/GNU_GRUB) only supports [LUKS1](https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup) and not the newer default LUKS2 scheme. As the bootloader runs in [protected mode](https://en.wikipedia.org/wiki/Protected_mode) and the encryption module lacks [SSE acceleration](https://en.wikipedia.org/wiki/Streaming_SIMD_Extensions) the boot process will take minutes to complete.
--   Using [TPM](https://en.wikipedia.org/wiki/Trusted_Platform_Module) to perform a [measured boot](https://www.krose.org/~krose/measured_boot).
+- Creating an [EFI Boot Stub](https://docs.kernel.org/admin-guide/efi-stub.html) that contains the [kernel](https://en.wikipedia.org/wiki/Kernel_(operating_system)), [initramfs](https://en.wikipedia.org/wiki/Initial_ramdisk) and [microcode](https://en.wikipedia.org/wiki/Microcode). This EFI stub can then be signed. If you use [dracut](https://en.wikipedia.org/wiki/Dracut_(software)) this can easily be done with the [`--uefi-stub` switch](https://man7.org/linux/man-pages/man8/dracut.8.html) or the [`uefi_stub` config](https://www.man7.org/linux/man-pages/man5/dracut.conf.5.html) option.
+- [Encrypting the boot partition](https://wiki.archlinux.org/title/GRUB#Encrypted_/boot). However, this has its own issues, the first being that [GRUB](https://en.wikipedia.org/wiki/GNU_GRUB) only supports [LUKS1](https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup) and not the newer default LUKS2 scheme. As the bootloader runs in [protected mode](https://en.wikipedia.org/wiki/Protected_mode) and the encryption module lacks [SSE acceleration](https://en.wikipedia.org/wiki/Streaming_SIMD_Extensions) the boot process will take minutes to complete.
+- Using [TPM](https://en.wikipedia.org/wiki/Trusted_Platform_Module) to perform a [measured boot](https://www.krose.org/~krose/measured_boot).
 
 After setting up Secure Boot it is crucial that you set a “firmware password” (also called a “supervisor password, “BIOS password” or “UEFI password”), otherwise an adversary can simply disable Secure Boot.
 

docs/metadata-removal-tools.md

@@ -7,6 +7,7 @@ When sharing files, be sure to remove associated metadata. Image files commonly
 ## Desktop
 
 ### MAT2
+
 !!! recommendation
 
     ![MAT2 logo](/assets/img/metadata-removal/mat2.svg){ align=right }
@@ -25,6 +26,7 @@ When sharing files, be sure to remove associated metadata. Image files commonly
     - [:fontawesome-brands-gitlab: Source](https://0xacab.org/jvoisin/mat2)
 
 ### ExifCleaner
+
 !!! recommendation
 
     ![ExifCleaner logo](/assets/img/metadata-removal/exifcleaner.svg){ align=right }
@@ -42,6 +44,7 @@ When sharing files, be sure to remove associated metadata. Image files commonly
 ## Mobile
 
 ### Scrambled Exif
+
 !!! recommendation
 
     ![Scrambled Exif logo](/assets/img/metadata-removal/scrambled-exif.svg){ align=right }
@@ -56,6 +59,7 @@ When sharing files, be sure to remove associated metadata. Image files commonly
     - [:fontawesome-brands-gitlab: Source](https://gitlab.com/juanitobananas/scrambled-exif)
 
 ### Imagepipe
+
 !!! recommendation
 
     ![Imagepipe logo](/assets/img/metadata-removal/imagepipe.svg){ align=right }
@@ -72,6 +76,7 @@ When sharing files, be sure to remove associated metadata. Image files commonly
     - [:fontawesome-brands-git: Source](https://codeberg.org/Starfish/Imagepipe)
 
 ### Metapho
+
 !!! recommendation
 
     ![Metapho logo](/assets/img/metadata-removal/metapho.jpg){ align=right }
@@ -87,7 +92,9 @@ When sharing files, be sure to remove associated metadata. Image files commonly
     - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/us/app/metapho/id914457352)
 
 ## Command-line
+
 ### Exiftool
+
 !!! recommendation
 
     ![Exiftool logo](/assets/img/metadata-removal/exiftool.png){ align=right }

docs/multi-factor-authentication.md

@@ -9,6 +9,7 @@ icon: 'material/two-factor-authentication'
 The idea behind 2FA is that even if a hacker is able to figure out your password (something you *know*), they will still need a device you own like your phone (something you *have*) in order to generate the code needed to log in to your account. 2FA methods vary in security based on this premise: The more difficult it is for an attacker to gain access to your 2FA method, the better. 2FA methods include: Email or SMS codes, Push Notifications,Software (TOTP) Code-Generating Apps, Hardware Keys.
 
 ## MFA Method Comparison
+
 ==**SMS Codes** or Emailed Codes are better than nothing at all, but only marginally.== Getting a code over SMS or Email takes away from the "something you *have*" idea, because there are a variety of ways a hacker could take over your phone number or gain access to your emails without having physical access to any of your devices at all!
 
 **Push Notifications** take the form of a message being sent to an app on your phone asking you to confirm new account logins. This is a lot better than SMS or Email, since an attacker typically wouldn't be able to get these push notifications without having an already logged-in device, thus requiring physical access to your device. However, they can be easy to click through and accept accidentally, and are typically sent to *all* your devices at once, widening the availability of the 2FA code if you have many devices. This solution is also generally a proprietary solution, so you are reliant on the company you have an account with to implement their custom solution securely rather than implementing an industry standard. Finally, it requires you to keep an app for every login you have on your mobile device, which may or may not be convenient to you.
@@ -20,7 +21,9 @@ The ultimate form of multi-factor security are **hardware keys**. These are devi
 Ultimately, the best form of two-factor security is the one you will use consistently on every account you have, that doesn't significantly interfere with your life. If you need to log in to an account often or on many devices, a hardware key may prove to be too much of a burden for example.
 
 ## Hardware Security Keys
+
 ### YubiKey
+
 !!! recommendation
 
     ![YubiKeys](/assets/img/multi-factor-authentication/yubikey.png)
@@ -32,6 +35,7 @@ Ultimately, the best form of two-factor security is the one you will use consist
     [Visit yubico.com](https://www.yubico.com){ .md-button .md-button--primary } [Privacy Policy](https://www.yubico.com/support/terms-conditions/privacy-notice){ .md-button }
 
 ### NitroKey
+
 !!! recommendation
 
     ![NitroKey](/assets/img/multi-factor-authentication/nitrokey.jpg){ align=right }
@@ -45,11 +49,13 @@ Ultimately, the best form of two-factor security is the one you will use consist
     [Visit nitrokey.com](https://www.nitrokey.com){ .md-button .md-button--primary } [Privacy Policy](https://www.nitrokey.com/data-privacy-policy){ .md-button }
 
 ## Authenticator Apps
+
 ==Generally speaking, TOTP software authenticator apps are going to be the best bet for most people.== They provide a significantly higher level of security than just SMS or Push Notifications, while remaining very convenient for most people who keep their phones with them at all times.
 
 Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret, or otherwise be able to predict what any future codes might be.
 
 ### Aegis Authenticator
+
 !!! recommendation
 
     ![Aegis logo](/assets/img/multi-factor-authentication/aegis.png){ align=right }
@@ -64,6 +70,7 @@ Authenticator Apps implement a security standard adopted by the Internet Enginee
     - [:fontawesome-brands-github: GitHub](https://github.com/beemdevelopment/Aegis)
 
 ### Raivo OTP
+
 !!! recommendation
 
     ![Raivo OTP logo](/assets/img/multi-factor-authentication/raivo-otp.png){ align=right }

docs/notebooks.md

@@ -55,6 +55,6 @@ If you are currently using an application like Evernote, Google Keep, or Microso
 
 ## Worth Mentioning
 
--   [EteSync](https://www.etesync.com/) - Secure, end-to-end encrypted, and privacy respecting sync for your contacts, calendars, tasks and notes.
--   [Paperwork](https://paperwork.cloud/) - An open-source and self-hosted solution. For PHP / MySQL servers.
--   [Org-mode](https://orgmode.org) - A major mode for GNU Emacs. Org-mode is for keeping notes, maintaining TODO lists, planning projects, and authoring documents with a fast and effective plain-text system.
+- [EteSync](https://www.etesync.com/) - Secure, end-to-end encrypted, and privacy respecting sync for your contacts, calendars, tasks and notes.
+- [Paperwork](https://paperwork.cloud/) - An open-source and self-hosted solution. For PHP / MySQL servers.
+- [Org-mode](https://orgmode.org) - A major mode for GNU Emacs. Org-mode is for keeping notes, maintaining TODO lists, planning projects, and authoring documents with a fast and effective plain-text system.

docs/passwords.md

@@ -5,14 +5,17 @@ icon: material/form-textbox-password
 Stay safe and secure online with an encrypted and open-source password manager.
 
 ## Password best practices
+
 - Always use unique passwords. Don't make yourself a victim of "[credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing)".
 - Store an exported backup of your passwords in an [encrypted container](/file-encryption) on another storage device. This can be useful if something happens to your device or the service you are using.
 - If possible store [Time-based one-time password (TOTP)](https://en.wikipedia.org/wiki/Time-based_one-time_password) tokens in a separate [TOTP app](/multi-factor-authentication) and not your password manager. TOTP codes are generated from a "[shared secret](https://en.wikipedia.org/wiki/Time-based_one-time_password#Security)". If the secret is obtained by an adversary they can generate TOTP values. Typically, mobile platforms have better app isolation and more secure methods for storing sensitive credentials.
 
 ## Local Password Managers
+
 These password managers store the password database locally.
 
 ### KeepassXC
+
 !!! recommendation
 
     ![KeepassXC logo](/assets/img/password-management/keepassxc.svg){ align=right }
@@ -34,6 +37,7 @@ These password managers store the password database locally.
     - [:fontawesome-brands-github: Source](https://github.com/keepassxreboot/keepassxc)
 
 ### KeepassDX
+
 !!! recommendation
 
     ![KeepassDX logo](/assets/img/password-management/keepassdx.svg){ align=right }
@@ -50,9 +54,11 @@ These password managers store the password database locally.
     - [:fontawesome-brands-github: Source](https://github.com/Kunzisoft/KeePassDX)
 
 ## Cloud syncing Password Managers
+
 These password managers sync up to a cloud server that may be self-hostable.
 
 ### Bitwarden
+
 !!! recommendation
 
     ![Bitwarden logo](/assets/img/password-management/bitwarden.svg){ align=right }
@@ -75,6 +81,7 @@ These password managers sync up to a cloud server that may be self-hostable.
     - [:fontawesome-brands-github: Source](https://github.com/bitwarden)
 
 ### Psono
+
 !!! recommendation
 
     ![Psono logo](/assets/img/password-management/psono.svg){ align=right }
@@ -92,9 +99,11 @@ These password managers sync up to a cloud server that may be self-hostable.
     - [:fontawesome-brands-github: Source](https://gitlab.com/psono)
 
 ## Password management servers
+
 These products are self-hostable synchronization for cloud based password managers.
 
 ### Vaultwarden
+
 !!! recommendation
 
     ![Vaultwarden logo](/assets/img/password-management/vaultwarden.svg#only-light){ align=right }
@@ -109,6 +118,7 @@ These products are self-hostable synchronization for cloud based password manage
     - [:fontawesome-brands-github: Source](https://github.com/dani-garcia/vaultwarden)
 
 ### Psono Server
+
 !!! recommendation
 
     ![Psono Server logo](/assets/img/password-management/psono.svg){ align=right }
@@ -123,9 +133,11 @@ These products are self-hostable synchronization for cloud based password manage
     - [:fontawesome-brands-gitlab: Source](https://gitlab.com/psono/psono-server)
 
 ## Minimal Password Managers
+
 These products are minimal password managers that can be used within scripting applications.
 
 ### Pass
+
 !!! recommendation
 
     ![Pass logo](/assets/img/password-management/pass.svg){ align=right }
@@ -140,6 +152,7 @@ These products are minimal password managers that can be used within scripting a
     - [:fontawesome-brands-git: Source](https://git.zx2c4.com/password-store)
 
 ### gopass
+
 !!! recommendation
 
     ![gopass logo](/assets/img/password-management/gopass.svg){ align=right }

docs/productivity.md

@@ -5,7 +5,9 @@ icon: material/file-sign
 Get working and collaborating without sharing your documents with a middleman or trusting a cloud provider.
 
 ## Office Suites
+
 ### LibreOffice
+
 !!! recommendation
 
     ![LibreOffice logo](/assets/img/productivity/libreoffice.svg){ align=right }
@@ -27,6 +29,7 @@ Get working and collaborating without sharing your documents with a middleman or
     - [:fontawesome-brands-git: Source](https://www.libreoffice.org/about-us/source-code)
 
 ### OnlyOffice
+
 !!! recommendation
 
     ![OnlyOffice logo](/assets/img/productivity/onlyoffice.svg){ align=right }
@@ -45,7 +48,9 @@ Get working and collaborating without sharing your documents with a middleman or
     - [:fontawesome-brands-github: Source](https://github.com/ONLYOFFICE)
 
 ## Planning
+
 ### Framadate
+
 !!! recommendation
 
     ![Framadate logo](/assets/img/productivity/framadate.svg){ align=right }
@@ -58,7 +63,9 @@ Get working and collaborating without sharing your documents with a middleman or
     - [:fontawesome-brands-gitlab: Source](https://framagit.org/framasoft/framadate)
 
 ## Paste services
+
 ### PrivateBin
+
 !!! recommendation
 
     ![PrivateBin logo](/assets/img/productivity/privatebin.svg){ align=right }
@@ -71,6 +78,7 @@ Get working and collaborating without sharing your documents with a middleman or
     - [:fontawesome-brands-github: Source](https://github.com/PrivateBin/PrivateBin)
 
 ### CryptPad
+
 !!! recommendation
 
     ![CryptPad logo](/assets/img/productivity/cryptpad.svg){ align=right }
@@ -83,7 +91,9 @@ Get working and collaborating without sharing your documents with a middleman or
     - [:fontawesome-brands-github: Source](https://github.com/xwiki-labs/cryptpad)
 
 ## Blogging
+
 ### Write.as
+
 !!! recommendation
 
     ![Write.as logo](/assets/img/productivity/writeas.svg#only-light){ align=right }
@@ -103,7 +113,9 @@ Get working and collaborating without sharing your documents with a middleman or
     - [:fontawesome-brands-git: Source](https://code.as/writeas)
 
 ## Programming
+
 ### VSCodium
+
 !!! recommendation
 
     ![VSCodium logo](/assets/img/productivity/vscodium.svg){ align=right }

docs/qubes.md

@@ -5,6 +5,7 @@ icon: pg/qubes-os
 Qubes OS is a distribution of Linux that uses [Xen](https://en.wikipedia.org/wiki/Xen) to provide app isolation.
 
 ### Qubes OS
+
 !!! recommendation
 
     ![Qubes OS logo](/assets/img/qubes/qubes_os.svg){ align=right }

docs/real-time-communication.md

@@ -1,7 +1,9 @@
 ---
+title: Real-Time Communication Tools
 icon: material/chat-processing
 ---
 ## Encrypted Instant Messengers
+
 ### Signal
 
 !!! recommendation
@@ -31,6 +33,7 @@ Signal requires your phone number as a personal identifier.
 The protocol was independently [audited](https://eprint.iacr.org/2016/1013.pdf) in 2016. The specification for the Signal protocol can be found in their [documentation](https://signal.org/docs/).
 
 ### Element
+
 !!! recommendation
 
     ![Element logo](/assets/img/messengers/element.svg){ align=right }
@@ -59,6 +62,7 @@ When using [element-web](https://github.com/vector-im/element-web), you must tru
 The protocol was independently [audited](https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last) in 2016. The specification for the Matrix protocol can be found in their [documentation](https://spec.matrix.org/latest/). The [Olm](https://matrix.org/docs/projects/other/olm) cryptographic ratchet used by Matrix is an implementation of Signal’s [Double Ratchet algorithm](https://signal.org/docs/specifications/doubleratchet/).
 
 ### Briar
+
 !!! recommendation
 
     ![Briar logo](/assets/img/messengers/briar.svg){ align=right }
@@ -81,6 +85,7 @@ Briar has a fully [published specification](https://code.briarproject.org/briar/
 Briar supports perfect forward secrecy by using the Bramble [Handshake](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BHP.md) and [Transport](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BTP.md) protocol.
 
 ### Session
+
 !!! recommendation
 
     ![Session logo](/assets/img/messengers/session.svg){ align=right }
@@ -105,9 +110,11 @@ Session does [not](https://getsession.org/blog/session-protocol-technical-inform
 Session was independently audited in 2020. The protocol is described in a whitepaper.
 
 ## Types of Communication Networks
+
 There are several network architectures commonly used to relay messages between users. These networks can provide different different privacy guarantees, which is why it's worth considering your [threat model](https://en.wikipedia.org/wiki/Threat_model) when making a decision about which app to use.
 
 ### Centralized Networks
+
 ![Centralized networks diagram](/assets/img/layout/network-centralized.svg){ align=left }
 
 Centralized messengers are those where all participants are on the same server or network of servers controlled by the same organization.
@@ -116,21 +123,21 @@ Some self-hosted messengers allow you to set up your own server. Self-hosting ca
 
 **Advantages:**
 
--   New features and changes can be implemented more quickly.
--   Easier to get started with and to find contacts.
--   Most mature and stable features ecosystems, as they are easier to program in a centralized software.
--   Privacy issues may be reduced when you trust a server that you're self-hosting.
+- New features and changes can be implemented more quickly.
+- Easier to get started with and to find contacts.
+- Most mature and stable features ecosystems, as they are easier to program in a centralized software.
+- Privacy issues may be reduced when you trust a server that you're self-hosting.
 
 **Disadvantages:**
 
--   Can include [restricted control or access](https://drewdevault.com/2018/08/08/Signal.html). This can include things like:
--   Being [forbidden from connecting third-party clients](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165) to the centralized network that might provide for greater customization or better user experience. Often defined in Terms and Conditions of usage.
--   Poor or no documentation for third-party developers.
--   The [ownership](https://web.archive.org/web/20210729191953/https://blog.privacytools.io/delisting-wire/), privacy policy, and operations of the service can change easily when a single entity controls it, potentially compromising the service later on.
--   Self hosting requires effort and knowledge of how to set up a service.
-
+- Can include [restricted control or access](https://drewdevault.com/2018/08/08/Signal.html). This can include things like:
+- Being [forbidden from connecting third-party clients](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165) to the centralized network that might provide for greater customization or better user experience. Often defined in Terms and Conditions of usage.
+- Poor or no documentation for third-party developers.
+- The [ownership](https://web.archive.org/web/20210729191953/https://blog.privacytools.io/delisting-wire/), privacy policy, and operations of the service can change easily when a single entity controls it, potentially compromising the service later on.
+- Self hosting requires effort and knowledge of how to set up a service.
 
 ### Federated Networks
+
 ![Federated networks diagram](/assets/img/layout/network-decentralized.svg){ align=left }
 
 Federated messengers use multiple, independent, decentralized servers that are able to talk to each other (email is one example of a federated service). Federation allows system administrators to control their own server and still be a part of the larger communications network.
@@ -139,20 +146,21 @@ When self-hosted, users of a federated server can discover and communicate with
 
 **Advantages:**
 
--   Allows for greater control over your own data when running your own server.
--   Allows you to choose who to trust your data with by choosing between multiple "public" servers.
--   Often allows for third party clients which can provide a more native, customized, or accessible experience.
--   Server software can be verified that it matches public source code, assuming you have access to the server or you trust the person who does (e.g., a family member)
+- Allows for greater control over your own data when running your own server.
+- Allows you to choose who to trust your data with by choosing between multiple "public" servers.
+- Often allows for third party clients which can provide a more native, customized, or accessible experience.
+- Server software can be verified that it matches public source code, assuming you have access to the server or you trust the person who does (e.g., a family member)
 
 **Disadvantages:**
 
--   Adding new features is more complex, because these features need to be standardized and tested to ensure they work with all servers on the network.
--   Due to the previous point, features can be lacking, or incomplete or working in unexpected ways compared to centralized platforms, such as message relay when offline or message deletion.
--   Some metadata may be available (e.g., information like "who is talking to whom," but not actual message content if E2EE is used).
--   Federated servers generally require trusting your server's administrator. They may be a hobbyist or otherwise not a "security professional," and may not serve standard documents like a privacy policy or terms of service detailing how your data is utilized.
--   Server administrators sometimes choose to block other servers, which are a source of unmoderated abuse or break general rules of accepted behavior. This will hinder your ability to communicate with users on those servers.
+- Adding new features is more complex, because these features need to be standardized and tested to ensure they work with all servers on the network.
+- Due to the previous point, features can be lacking, or incomplete or working in unexpected ways compared to centralized platforms, such as message relay when offline or message deletion.
+- Some metadata may be available (e.g., information like "who is talking to whom," but not actual message content if E2EE is used).
+- Federated servers generally require trusting your server's administrator. They may be a hobbyist or otherwise not a "security professional," and may not serve standard documents like a privacy policy or terms of service detailing how your data is utilized.
+- Server administrators sometimes choose to block other servers, which are a source of unmoderated abuse or break general rules of accepted behavior. This will hinder your ability to communicate with users on those servers.
 
 ### Peer-to-Peer (P2P) Networks
+
 ![P2P diagram](/assets/img/layout/network-distributed.svg){ align=left }
 
 [P2P](https://en.wikipedia.org/wiki/Peer-to-peer) messengers connect to a [distributed network](https://en.wikipedia.org/wiki/Distributed_networking) of nodes to relay a message to the recepient without a third-party server.
@@ -165,19 +173,19 @@ P2P networks do not use servers, as users communicate directly between each othe
 
 **Advantages:**
 
--   Minimal information is exposed to third parties.
--   Modern P2P platforms implement end-to-end encryption by default. There are no servers that could potentially intercept and decrypt your transmissions, unlike centralized and federated models.
+- Minimal information is exposed to third parties.
+- Modern P2P platforms implement end-to-end encryption by default. There are no servers that could potentially intercept and decrypt your transmissions, unlike centralized and federated models.
 
 **Disadvantages:**
 
--   Reduced feature set:
--   Messages can only be sent when both peers are online, however, your client may store messages locally to wait for the contact to return online.
--   Generally increases battery usage on mobile devices, because the client must stay connected to the distributed network to learn about who is online.
--   Some common messenger features may not be implemented or incompletely, such as message deletion.
--   Your [IP address](https://en.wikipedia.org/wiki/IP_address) and that of the contacts you're communicating with may be exposed if you do not use the software in conjunction with a [VPN](https://privacyguides.org/providers/vpn) or [self contained network](https://privacyguides.org/software/networks), such as [Tor](https://www.torproject.org) or [I2P](https://geti2p.net/). Many countries have some form of mass surveillance and/or metadata retention.
-
+- Reduced feature set:
+- Messages can only be sent when both peers are online, however, your client may store messages locally to wait for the contact to return online.
+- Generally increases battery usage on mobile devices, because the client must stay connected to the distributed network to learn about who is online.
+- Some common messenger features may not be implemented or incompletely, such as message deletion.
+- Your [IP address](https://en.wikipedia.org/wiki/IP_address) and that of the contacts you're communicating with may be exposed if you do not use the software in conjunction with a [VPN](https://privacyguides.org/providers/vpn) or [self contained network](https://privacyguides.org/software/networks), such as [Tor](https://www.torproject.org) or [I2P](https://geti2p.net/). Many countries have some form of mass surveillance and/or metadata retention.
 
 ### Anonymous Routing
+
 ![Anonymous routing diagram](/assets/img/layout/network-anonymous-routing.svg){ align=left }
 
 A messenger using [anonymous routing](https://doi.org/10.1007/978-1-4419-5906-5_628) hides either the identity of the sender, the receiver, or evidence that they have been communicating. Ideally, a messenger should hide all three.
@@ -188,13 +196,13 @@ Self-hosting a node in an anonymous routing network does not provide the hoster
 
 **Advantages:**
 
--   Minimal to no information is exposed to other parties.
--   Messages can be relayed in a decentralized manner even if one of the parties is offline.
+- Minimal to no information is exposed to other parties.
+- Messages can be relayed in a decentralized manner even if one of the parties is offline.
 
 **Disadvantages:**
 
--   Slow message propagation.
--   Often limited to fewer media types, mostly text since the network is slow.
--   Less reliable if nodes are selected by randomized routing, some nodes may be very far from the sender and receiver, adding latency or even failing to transmit messages if one of the nodes goes offline.
--   More complex to get started as the creation and secured backup of a cryptographic private key is required.
--   Just like other decentralized platforms, adding features is more complex for developers than on a centralized platform, hence features may be lacking or incompletely implemented, such as offline message relaying or message deletion.
+- Slow message propagation.
+- Often limited to fewer media types, mostly text since the network is slow.
+- Less reliable if nodes are selected by randomized routing, some nodes may be very far from the sender and receiver, adding latency or even failing to transmit messages if one of the nodes goes offline.
+- More complex to get started as the creation and secured backup of a cryptographic private key is required.
+- Just like other decentralized platforms, adding features is more complex for developers than on a centralized platform, hence features may be lacking or incompletely implemented, such as offline message relaying or message deletion.

docs/router.md

@@ -22,6 +22,7 @@ Below are a few alternative operating systems, that can be used on routers, Wi-F
     - [:fontawesome-brands-git: Source](https://git.openwrt.org)
 
 ### pfSense
+
 !!! recommendation
 
     ![pfSense logo](/assets/img/router/pfsense.svg#only-light){ align=right }

docs/search-engines.md

@@ -9,6 +9,7 @@ The recommendations here are based on the merits of each service's privacy polic
 Consider using a [VPN](/providers/vpn) or [Tor](https://www.torproject.org/) if your threat model requires hiding your IP address from the search provider.
 
 ### DuckDuckGo
+
 !!! recommendation
 
     ![DuckDuckGo logo](/assets/img/search-engines/duckduckgo.svg){ align=right }
@@ -25,6 +26,7 @@ Consider using a [VPN](/providers/vpn) or [Tor](https://www.torproject.org/) if
         The company is based in the 🇺🇸 US. Their [Privacy Policy](https://duckduckgo.com/privacy) states they do log your search query, but not your IP or any other identifying information.
 
 ### Startpage
+
 !!! recommendation
 
     ![Startpage logo](/assets/img/search-engines/startpage.svg){ align=right }
@@ -39,6 +41,7 @@ Consider using a [VPN](/providers/vpn) or [Tor](https://www.torproject.org/) if
         Startpage's majority shareholder is System1 who is an adtech company. We don't think that is an issue as they have their own Privacy Policy. The Privacy Guides team reached out to Startpage [back in 2020](https://web.archive.org/web/20210118031008/https://blog.privacytools.io/relisting-startpage/) for clarification and was satisfied by the answers we received.
 
 ### Mojeek
+
 !!! recommendation
 
     ![Mojeek logo](/assets/img/search-engines/mojeek.svg){ align=right }
@@ -51,6 +54,7 @@ Consider using a [VPN](/providers/vpn) or [Tor](https://www.torproject.org/) if
         The company is based in the 🇬🇧 UK. According to their [Privacy Policy](https://www.mojeek.com/about/privacy/), they log the originating country, time, page requested, and referral data of each query. IP addresses are not logged.
 
 ### Searx
+
 !!! recommendation
 
     ![Searx logo](/assets/img/search-engines/searx.svg){ align=right }

docs/self-contained-networks.md

@@ -5,7 +5,9 @@ icon: material/security-network
 If you are currently browsing clearnet and want to access the dark web, this section is for you.
 
 ## Self-contained Networks
+
 ### Tor
+
 !!! recommendation
 
     ![Tor logo](./assets/img/self-contained-networks/tor.svg){ align=right }
@@ -27,6 +29,7 @@ If you are currently browsing clearnet and want to access the dark web, this sec
     - [:fontawesome-brands-git: Source](https://gitweb.torproject.org/tor.git)
 
 ### I2P Anonymous Network
+
 !!! recommendation
 
     ![I2P logo](./assets/img/self-contained-networks/i2p.svg){ align=right }
@@ -48,6 +51,7 @@ If you are currently browsing clearnet and want to access the dark web, this sec
     - [:fontawesome-brands-git: Source](https://geti2p.net/en/get-involved/guides/new-developers#getting-the-i2p-code)
 
 ### The Freenet Project
+
 !!! recommendation
 
     ![Freenet logo](./assets/img/self-contained-networks/freenet.svg){ align=right }

docs/social-networks.md

@@ -4,8 +4,10 @@ icon: material/account-supervisor-circle-outline
 ---
 Find a social network that doesn’t pry into your data or monetize your profile.
 
-##  Decentralized Social Networks
+## Decentralized Social Networks
+
 ### Mastodon (Twitter Alternative)
+
 !!! recommendation
 
     ![Mastodon logo](/assets/img/social-networks/mastodon.svg){ align=right }
@@ -20,6 +22,7 @@ Find a social network that doesn’t pry into your data or monetize your profile
     - [:fontawesome-brands-github: Source](https://github.com/mastodon)
 
 ### diaspora\* (Google+ Alternative)
+
 !!! recommendation
 
     ![diaspora* logo](/assets/img/social-networks/diaspora.svg){ align=right }
@@ -33,6 +36,7 @@ Find a social network that doesn’t pry into your data or monetize your profile
     - [:fontawesome-brands-github: Source](https://github.com/diaspora)
 
 ### Friendica (Facebook Alternative)
+
 !!! recommendation
 
     ![Frendica logo](/assets/img/social-networks/friendica.svg){ align=right }
@@ -46,6 +50,7 @@ Find a social network that doesn’t pry into your data or monetize your profile
     - [:fontawesome-brands-github: Source](https://github.com/friendica)
 
 ### PixelFed (Instagram Alternative)
+
 !!! recommendation
 
     ![PixelFed logo](/assets/img/social-networks/pixelfed.svg){ align=right }
@@ -58,6 +63,7 @@ Find a social network that doesn’t pry into your data or monetize your profile
     - [:fontawesome-brands-github: Source](https://github.com/pixelfed)
 
 ### Pleroma (Twitter Alternative)
+
 !!! recommendation
 
     ![Pleroma logo](/assets/img/social-networks/pleroma.svg){ align=right }
@@ -71,6 +77,7 @@ Find a social network that doesn’t pry into your data or monetize your profile
     - [:fontawesome-brands-gitlab: Source](https://git.pleroma.social/pleroma)
 
 ### Movim
+
 !!! recommendation
 
     ![Movim logo](/assets/img/social-networks/movim.svg){ align=right }
@@ -81,10 +88,12 @@ Find a social network that doesn’t pry into your data or monetize your profile
     - [:fontawesome-brands-github: Source](https://github.com/movim)
 
 ## Related Information
+
 - [JustDeleteMe](https://justdeleteme.xyz) - A directory of direct links to delete your account from web services.
 - [Forget](https://forget.codl.fr) - A service that automatically deletes your old posts on Twitter and Mastodon that everyone has forgotten about.
 
 ## Facebook Related
+
 - [How do I permanently delete my Facebook account?](https://www.facebook.com/help/224562897555674)
 - [Facebook Container by Mozilla](https://addons.mozilla.org/firefox/addon/facebook-container)
 - [Stop using Facebook](https://web.archive.org/web/20190510075433/https://www.stopusingfacebook.co/) - A curated list of reasons to stop using Facebook and how to do it.

docs/social-news-aggregator.md

@@ -5,6 +5,7 @@ icon: material/newspaper-variant-outline
 Stay up-to-date with privacy-respecting online bulletin boards.
 
 ### Tildes
+
 !!! recommendation
 
     ![Tildes logo](/assets/img/social-media-aggregator/tildes.svg){ align=right }
@@ -17,6 +18,7 @@ Stay up-to-date with privacy-respecting online bulletin boards.
     - [:fontawesome-brands-gitlab: Source](hhttps://gitlab.com/tildes)
 
 ### Lemmy
+
 !!! recommendation
 
     ![Lemmy logo](/assets/img/social-media-aggregator/lemmy.svg){ align=right }
@@ -29,6 +31,7 @@ Stay up-to-date with privacy-respecting online bulletin boards.
     - [:fontawesome-brands-github: Source](https://github.com/LemmyNet)
 
 ### Postmill
+
 !!! recommendation
 
     ![Postmill logo](/assets/img/social-media-aggregator/postmill.png){ align=right }
@@ -41,6 +44,7 @@ Stay up-to-date with privacy-respecting online bulletin boards.
     - [:fontawesome-brands-gitlab: Source](https://gitlab.com/postmill)
 
 ### Freepost
+
 !!! recommendation
 
     ![Freepost logo](/assets/img/social-media-aggregator/freepost.svg){ align=right }

docs/threat-modeling.md

@@ -6,7 +6,7 @@ icon: 'material/target-account'
 
 Balancing security, privacy, and usability is one of the first and most difficult tasks you'll face on your privacy journey. Everything is a trade-off: The more secure something is, the more restricting or inconvenient it generally is, et cetera. Often people find that the problem with the tools they see recommended is they're just too hard to start using!
 
-If you wanted to use the **most** secure tools available, you'd have to sacrifice _a lot_ of usability. And even then, <mark>nothing is ever fully secure.</mark> There's **high** security, but never **full** security. That's why threat models are important.
+If you wanted to use the **most** secure tools available, you'd have to sacrifice *a lot* of usability. And even then, <mark>nothing is ever fully secure.</mark> There's **high** security, but never **full** security. That's why threat models are important.
 
 **So, what are these threat models anyways?**
 
@@ -14,41 +14,45 @@ If you wanted to use the **most** secure tools available, you'd have to sacrific
 
 By focusing on the threats that matter to you, this narrows down your thinking about the protection you need, so you can choose the tools that are right for the job.
 
-Examples of threat models
--------------------------
+## Examples of threat models
 
- * An investigative journalist's threat model might be <span class="text-muted">(protecting themselves against)</span> a foreign government.
- * A company's manager's threat model might be <span class="text-muted">(protecting themselves against)</span> a hacker hired by competition to do corporate espionage.
- * The average citizen's threat model might be <span class="text-muted">(hiding their data from)</span> large tech corporations.
+* An investigative journalist's threat model might be <span class="text-muted">(protecting themselves against)</span> a foreign government.
+* A company's manager's threat model might be <span class="text-muted">(protecting themselves against)</span> a hacker hired by competition to do corporate espionage.
+* The average citizen's threat model might be <span class="text-muted">(hiding their data from)</span> large tech corporations.
 
-Creating your threat model
---------------------------
+## Creating your threat model
 
 To identify what could happen to the things you value and determine from whom you need to protect them, you want to answer these five questions:
 
-1.  What do I want to protect?
-2.  Who do I want to protect it from?
-3.  How likely is it that I will need to protect it?
-4.  How bad are the consequences if I fail?
-5.  How much trouble am I willing to go through to try to prevent potential consequences?
+1. What do I want to protect?
+2. Who do I want to protect it from?
+3. How likely is it that I will need to protect it?
+4. How bad are the consequences if I fail?
+5. How much trouble am I willing to go through to try to prevent potential consequences?
 
-#### Example: Protecting your belongings
- * To demonstrate how these questions work, let's build a plan to keep your house and possessions safe.
+### Example: Protecting your belongings
 
-##### What do you want to protect? (Or, _what do you have that is worth protecting?_)
- * Your assets might include jewelry, electronics, important documents, or photos.
+* To demonstrate how these questions work, let's build a plan to keep your house and possessions safe.
 
-##### Who do you want to protect it from?
- * Your adversaries might include burglars, roommates, or guests.
+#### What do you want to protect? (Or, *what do you have that is worth protecting?*)
 
-##### How likely is it that you will need to protect it?
- * Does your neighborhood have a history of burglaries? How trustworthy are your roommates/guests? What are the capabilities of your adversaries? What are the risks you should consider?
+* Your assets might include jewelry, electronics, important documents, or photos.
 
-##### How bad are the consequences if you fail?
- * Do you have anything in your house that you cannot replace? Do you have the time or money to replace these things? Do you have insurance that covers goods stolen from your home?
+#### Who do you want to protect it from?
 
-##### How much trouble are you willing to go through to prevent these consequences?
- * Are you willing to buy a safe for sensitive documents? Can you afford to buy a high-quality lock? Do you have time to open a security box at your local bank and keep your valuables there?
+* Your adversaries might include burglars, roommates, or guests.
+
+#### How likely is it that you will need to protect it?
+
+* Does your neighborhood have a history of burglaries? How trustworthy are your roommates/guests? What are the capabilities of your adversaries? What are the risks you should consider?
+
+#### How bad are the consequences if you fail?
+
+* Do you have anything in your house that you cannot replace? Do you have the time or money to replace these things? Do you have insurance that covers goods stolen from your home?
+
+#### How much trouble are you willing to go through to prevent these consequences?
+
+* Are you willing to buy a safe for sensitive documents? Can you afford to buy a high-quality lock? Do you have time to open a security box at your local bank and keep your valuables there?
 
 Only once you have asked yourself these questions will you be in a position to assess what measures to take. If your possessions are valuable, but the probability of a break-in is low, then you may not want to invest too much money in a lock. But, if the probability of a break-in is high, you'll want to get the best lock on the market, and consider adding a security system.
 
@@ -57,41 +61,46 @@ Making a security plan will help you to understand the threats that are unique t
 Now, let's take a closer look at the questions in our list:
 
 ### What do I want to protect?
+
 An “asset” is something you value and want to protect. In the context of digital security, <mark>an asset is usually some kind of information.</mark> For example, your emails, contact lists, instant messages, location, and files are all possible assets. Your devices themselves may also be assets.
 
-_Make a list of your assets: data that you keep, where it's kept, who has access to it, and what stops others from accessing it._
+*Make a list of your assets: data that you keep, where it's kept, who has access to it, and what stops others from accessing it.*
 
 ### Who do I want to protect it from?
+
 To answer this question, it's important to identify who might want to target you or your information. <mark>A person or entity that poses a threat to your assets is an “adversary.”</mark> Examples of potential adversaries are your boss, your former partner, your business competition, your government, or a hacker on a public network.
 
-_Make a list of your adversaries, or those who might want to get ahold of your assets. Your list may include individuals, a government agency, or corporations._
+*Make a list of your adversaries, or those who might want to get ahold of your assets. Your list may include individuals, a government agency, or corporations.*
 
 Depending on who your adversaries are, under some circumstances this list might be something you want to destroy after you're done security planning.
 
 ### How likely is it that I will need to protect it?
+
 <mark>Risk is the likelihood that a particular threat against a particular asset will actually occur.</mark> It goes hand-in-hand with capability. While your mobile phone provider has the capability to access all of your data, the risk of them posting your private data online to harm your reputation is low.
 
 It is important to distinguish between what might happen and the probability it may happen. For instance, there is a threat that your building might collapse, but the risk of this happening is far greater in San Francisco (where earthquakes are common) than in Stockholm (where they are not).
 
 Assessing risks is both a personal and a subjective process. Many people find certain threats unacceptable no matter the likelihood they will occur because the mere presence of the threat at any likelihood is not worth the cost. In other cases, people disregard high risks because they don't view the threat as a problem.
 
-_Write down which threats you are going to take seriously, and which may be too rare or too harmless (or too difficult to combat) to worry about._
+*Write down which threats you are going to take seriously, and which may be too rare or too harmless (or too difficult to combat) to worry about.*
 
 ### How bad are the consequences if I fail?
+
 There are many ways that an adversary could gain access to your data. For example, an adversary can read your private communications as they pass through the network, or they can delete or corrupt your data.
 
 <mark>The motives of adversaries differ widely, as do their tactics.</mark> A government trying to prevent the spread of a video showing police violence may be content to simply delete or reduce the availability of that video. In contrast, a political opponent may wish to gain access to secret content and publish that content without you knowing.
 
 Security planning involves understanding how bad the consequences could be if an adversary successfully gains access to one of your assets. To determine this, you should consider the capability of your adversary. For example, your mobile phone provider has access to all your phone records. A hacker on an open Wi-Fi network can access your unencrypted communications. Your government might have stronger capabilities.
 
-_Write down what your adversary might want to do with your private data._
+*Write down what your adversary might want to do with your private data.*
 
 ### How much trouble am I willing to go through to try to prevent potential consequences?
+
 <mark>There is no perfect option for security.</mark> Not everyone has the same priorities, concerns, or access to resources. Your risk assessment will allow you to plan the right strategy for you, balancing convenience, cost, and privacy.
 
 For example, an attorney representing a client in a national security case may be willing to go to greater lengths to protect communications about that case, such as using encrypted email, than a mother who regularly emails her daughter funny cat videos.
 
-_Write down what options you have available to you to help mitigate your unique threats. Note if you have any financial constraints, technical constraints, or social constraints._
+*Write down what options you have available to you to help mitigate your unique threats. Note if you have any financial constraints, technical constraints, or social constraints.*
 
 <div class="row">
   <div class="col-12 col-lg-6">

docs/tools.md

@@ -1,4 +1,5 @@
 ---
+title: Privacy Tools
 icon: material/tools
 hide:
     - navigation

docs/video-streaming.md

@@ -5,7 +5,8 @@ icon: material/video-wireless
 The primary threat when using a video streaming platform is that your streaming habits and subscription lists could be used to profile you. You should combine these tools with a [VPN](/providers/vpn/) or [Tor](https://www.torproject.org/) to make it harder to profile your usage.
 
 ## Clients
-###  FreeTube
+
+### FreeTube
 
 !!! recommendation
 
@@ -28,6 +29,7 @@ The primary threat when using a video streaming platform is that your streaming
     - [:fontawesome-brands-github: Source](https://github.com/FreeTubeApp/FreeTube/)
 
 ### LBRY
+
 !!! recommendation
 
     ![LBRY logo](/assets/img/video-streaming/lbry.svg){ align=right }
@@ -57,6 +59,7 @@ The primary threat when using a video streaming platform is that your streaming
     - [:fontawesome-brands-github: Source](https://github.com/lbryio)
 
 ### NewPipe
+
 !!! recommendation
 
     ![Newpipe logo](/assets/img//video-streaming/newpipe.svg){ align=right }
@@ -74,6 +77,7 @@ The primary threat when using a video streaming platform is that your streaming
     - [:fontawesome-brands-github: Source](https://github.com/TeamNewPipe/NewPipe)
 
 ### NewPipe x SponsorBlock
+
 !!! recommendation
 
     ![NewPipe x SponsorBlock logo](/assets/img/video-streaming/newpipe.svg){ align=right }
@@ -91,7 +95,9 @@ The primary threat when using a video streaming platform is that your streaming
     - [:fontawesome-brands-github: Source](https://github.com/polymorphicshade/NewPipe)
 
 ## Web-based Frontends
+
 ### Invidious
+
 !!! recommendation
 
     ![Invidious logo](/assets/img/video-streaming/invidious.svg#only-light){ align=right }
@@ -118,6 +124,7 @@ The primary threat when using a video streaming platform is that your streaming
     - [:fontawesome-brands-github: Source](https://github.com/iv-org/invidious)
 
 ### Piped
+
 !!! recommendation
 
     ![Piped logo](/assets/img/video-streaming/piped.svg){ align=right }

docs/vpn.md

@@ -198,12 +198,12 @@ Operating outside the five/nine/fourteen-eyes countries is not a guarantee of pr
 
 **Minimum to Qualify:**
 
--   Operating outside the USA or other Five Eyes countries.
+- Operating outside the USA or other Five Eyes countries.
 
 **Best Case:**
 
--   Operating outside the USA or other Fourteen Eyes countries.
--   Operating inside a country with strong consumer protection laws.
+- Operating outside the USA or other Fourteen Eyes countries.
+- Operating inside a country with strong consumer protection laws.
 
 ### Technology
 
@@ -211,18 +211,18 @@ We require all our recommended VPN providers to provide OpenVPN configuration fi
 
 **Minimum to Qualify:**
 
--   Support for strong protocols such as WireGuard & OpenVPN.
--   Killswitch built in to clients.
--   Multihop support. Multihopping is important to keep data private in case of a single node compromise.
--   If VPN clients are provided, they should be [open source](https://en.wikipedia.org/wiki/Open_source), like the VPN software they generally have built into them. We believe that [source code](https://en.wikipedia.org/wiki/Source_code) availability provides greater transparency to the user about what their device is actually doing. We like to see these applications [available in F-Droid](https://www.f-droid.org/en/2019/05/05/trust-privacy-and-free-software.html).
+- Support for strong protocols such as WireGuard & OpenVPN.
+- Killswitch built in to clients.
+- Multihop support. Multihopping is important to keep data private in case of a single node compromise.
+- If VPN clients are provided, they should be [open source](https://en.wikipedia.org/wiki/Open_source), like the VPN software they generally have built into them. We believe that [source code](https://en.wikipedia.org/wiki/Source_code) availability provides greater transparency to the user about what their device is actually doing. We like to see these applications [available in F-Droid](https://www.f-droid.org/en/2019/05/05/trust-privacy-and-free-software.html).
 
 **Best Case:**
 
--   WireGuard and OpenVPN support.
--   Killswitch with highly configurable options (enable/disable on certain networks, on boot, etc.)
--   Easy-to-use VPN clients
--   Supports [IPv6](https://en.wikipedia.org/wiki/IPv6). We expect that servers will allow incoming connections via IPv6 and allow users to access services hosted on IPv6 addresses.
--   Capability of [remote port forwarding](https://en.wikipedia.org/wiki/Port_forwarding#Remote_port_forwarding) assists in creating connections when using P2P ([Peer-to-Peer](https://en.wikipedia.org/wiki/Peer-to-peer)) filesharing software, Freenet, or hosting a server (e.g., Mumble).
+- WireGuard and OpenVPN support.
+- Killswitch with highly configurable options (enable/disable on certain networks, on boot, etc.)
+- Easy-to-use VPN clients
+- Supports [IPv6](https://en.wikipedia.org/wiki/IPv6). We expect that servers will allow incoming connections via IPv6 and allow users to access services hosted on IPv6 addresses.
+- Capability of [remote port forwarding](https://en.wikipedia.org/wiki/Port_forwarding#Remote_port_forwarding) assists in creating connections when using P2P ([Peer-to-Peer](https://en.wikipedia.org/wiki/Peer-to-peer)) filesharing software, Freenet, or hosting a server (e.g., Mumble).
 
 ### Privacy
 
@@ -230,13 +230,13 @@ We prefer our recommended providers to collect as little data as possible. Not c
 
 **Minimum to Qualify:**
 
--   Bitcoin or cash payment option.
--   No personal information required to register: Only username, password, and email at most.
+- Bitcoin or cash payment option.
+- No personal information required to register: Only username, password, and email at most.
 
 **Best Case:**
 
--   Accepts Bitcoin, cash, and other forms of cryptocurrency and/or anonymous payment options (gift cards, etc.)
--   No personal information accepted (autogenerated username, no email required, etc.)
+- Accepts Bitcoin, cash, and other forms of cryptocurrency and/or anonymous payment options (gift cards, etc.)
+- No personal information accepted (autogenerated username, no email required, etc.)
 
 ### Security
 
@@ -244,16 +244,16 @@ A VPN is pointless if it can't even provide adequate security. We require all ou
 
 **Minimum to Qualify:**
 
--   Strong Encryption Schemes: OpenVPN with SHA-256 authentication; RSA-2048 or better handshake; AES-256-GCM or AES-256-CBC data encryption.
--   Perfect Forward Secrecy (PFS).
--   Published security audits from a reputable third-party firm.
+- Strong Encryption Schemes: OpenVPN with SHA-256 authentication; RSA-2048 or better handshake; AES-256-GCM or AES-256-CBC data encryption.
+- Perfect Forward Secrecy (PFS).
+- Published security audits from a reputable third-party firm.
 
 **Best Case:**
 
--   Strongest Encryption: RSA-4096.
--   Perfect Forward Secrecy (PFS).
--   Comprehensive published security audits from a reputable third-party firm.
--   Bug-bounty programs and/or a coordinated vulnerability-disclosure process.
+- Strongest Encryption: RSA-4096.
+- Perfect Forward Secrecy (PFS).
+- Comprehensive published security audits from a reputable third-party firm.
+- Bug-bounty programs and/or a coordinated vulnerability-disclosure process.
 
 ### Trust
 
@@ -261,12 +261,12 @@ You wouldn't trust your finances to someone with a fake identity, so why trust t
 
 **Minimum to Qualify:**
 
--   Public-facing leadership or ownership.
+- Public-facing leadership or ownership.
 
 **Best Case:**
 
--   Public-facing leadership.
--   Frequent transparency reports.
+- Public-facing leadership.
+- Frequent transparency reports.
 
 ### Marketing
 
@@ -274,24 +274,24 @@ With the VPN providers we recommend we like to see responsible marketing.
 
 **Minimum to Qualify:**
 
--   Must self host analytics (no Google Analytics etc). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for those users who want to opt-out.
+- Must self host analytics (no Google Analytics etc). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for those users who want to opt-out.
 
 Must not have any marketing which is irresponsible:
 
--   Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know users can quite easily deanonymize themselves in a number of ways, eg:
+- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know users can quite easily deanonymize themselves in a number of ways, eg:
 
--   Reusing personal information eg. (email accounts, unique pseudonyms etc) that they accessed without anonymity software (Tor, VPN etc)
--   [Browser fingerprinting](https://privacyguides.org/browsers/#fingerprint)
+- Reusing personal information eg. (email accounts, unique pseudonyms etc) that they accessed without anonymity software (Tor, VPN etc)
+- [Browser fingerprinting](https://privacyguides.org/browsers/#fingerprint)
 
--   Claim that a single circuit VPN is "more anonymous" than Tor, which is a circuit of 3 or more hops that regularly changes.
--   Use responsible language, eg it is okay to say that a VPN is "disconnected" or "not connected", however claiming that a user is "exposed", "vulnerable" or "compromised" is needless use of alarming language that may be incorrect. For example the visiting user might be on another VPN provider's service or using Tor.
+- Claim that a single circuit VPN is "more anonymous" than Tor, which is a circuit of 3 or more hops that regularly changes.
+- Use responsible language, eg it is okay to say that a VPN is "disconnected" or "not connected", however claiming that a user is "exposed", "vulnerable" or "compromised" is needless use of alarming language that may be incorrect. For example the visiting user might be on another VPN provider's service or using Tor.
 
 **Best Case:**
 
 Responsible marketing that is both educational and useful to the consumer could include:
 
--   An accurate comparison to when Tor or other [Self contained networks](https://privacyguides.org/software/networks/) should be used.
--   Availability of the VPN provider's website over a .onion [Hidden Service](https://en.wikipedia.org/wiki/.onion)
+- An accurate comparison to when Tor or other [Self contained networks](https://privacyguides.org/software/networks/) should be used.
+- Availability of the VPN provider's website over a .onion [Hidden Service](https://en.wikipedia.org/wiki/.onion)
 
 ### Additional Functionality
 
@@ -321,7 +321,7 @@ A common reason to recommend encrypted DNS is that it helps against DNS spoofing
 
 Needless to say, **you shouldn't use encrypted DNS with Tor**. This would direct all of your DNS requests through a single circuit, and would allow the encrypted DNS provider to deanonymize you.
 
-### Should I use Tor _and_ a VPN?
+### Should I use Tor *and* a VPN?
 
 By using a VPN with Tor, you're creating essentially a permanent entry node, often with a money trail attached. This provides zero additional benefit to you, while increasing the attack surface of your connection dramatically. If you wish to hide your Tor usage from your ISP or your government, Tor has a built-in solution for that: Tor bridges. [Read more about Tor bridges and why using a VPN is not necessary](https://web.archive.org/web/20210116140725/https://write.privacytools.io/my-thoughts-on-security/slicing-onions-part-2-onion-recipes-vpn-not-required).
 
@@ -339,35 +339,35 @@ Thus, this feature should be viewed as a convenient way to access the Tor Networ
 
 A VPN may still be useful to you in a variety of scenarios, such as:
 
-1.  Hiding your traffic from **only** your Internet Service Provider.
-2.  Hiding your downloads (such as torrents) from your ISP and anti-piracy organizations.
-3.  Hiding your IP from third party websites and services, preventing IP based tracking.
+1. Hiding your traffic from **only** your Internet Service Provider.
+2. Hiding your downloads (such as torrents) from your ISP and anti-piracy organizations.
+3. Hiding your IP from third party websites and services, preventing IP based tracking.
 
-For use cases like these, or if you have another compelling reason, the VPN providers we listed above are who we think are the most trustworthy. However, using a VPN provider still means you're _trusting_ the provider. In pretty much any other scenario you should be using a secure**-by-design** tool such as Tor.
+For use cases like these, or if you have another compelling reason, the VPN providers we listed above are who we think are the most trustworthy. However, using a VPN provider still means you're *trusting* the provider. In pretty much any other scenario you should be using a secure**-by-design** tool such as Tor.
 
 ### Sources and Further Reading
 
-1.  [VPN - a Very Precarious Narrative](https://schub.io/blog/2019/04/08/very-precarious-narrative.html) by Dennis Schubert
-2.  [The self-contained networks](https://privacyguides.org/software/networks/) recommended by Privacy Guides are able to replace a VPN that allows access to services on local area network
-3.  [Slicing Onions: Part 1 – Myth-busting Tor](https://medium.com/privacyguides/slicing-onions-part-1-myth-busting-tor-9ec188ae1904) by blacklight447
-4.  [Slicing Onions: Part 2 – Onion recipes; VPN not required](https://web.archive.org/web/20210116140725/https://write.privacytools.io/my-thoughts-on-security/slicing-onions-part-2-onion-recipes-vpn-not-required) by blacklight447
-5.  [IVPN Privacy Guides](https://www.ivpn.net/privacy-guides/)
+1. [VPN - a Very Precarious Narrative](https://schub.io/blog/2019/04/08/very-precarious-narrative.html) by Dennis Schubert
+2. [The self-contained networks](https://privacyguides.org/software/networks/) recommended by Privacy Guides are able to replace a VPN that allows access to services on local area network
+3. [Slicing Onions: Part 1 – Myth-busting Tor](https://medium.com/privacyguides/slicing-onions-part-1-myth-busting-tor-9ec188ae1904) by blacklight447
+4. [Slicing Onions: Part 2 – Onion recipes; VPN not required](https://web.archive.org/web/20210116140725/https://write.privacytools.io/my-thoughts-on-security/slicing-onions-part-2-onion-recipes-vpn-not-required) by blacklight447
+5. [IVPN Privacy Guides](https://www.ivpn.net/privacy-guides/)
 
 [^1]: "WireGuard" and the "WireGuard" logo are registered trademarks of Jason A. Donenfeld.
 
 ## Related VPN information
 
--   [The Trouble with VPN and Privacy Review Sites](https://medium.com/privacyguides/the-trouble-with-vpn-and-privacy-review-sites-ae9b29eda8fd)
--   [Proxy.sh VPN Provider Sniffed Server Traffic to Catch Hacker](https://torrentfreak.com/proxy-sh-vpn-provider-monitored-traffic-to-catch-hacker-130930/)
--   [blackVPN announced to delete connection logs after disconnection](https://medium.com/@blackVPN/no-logs-6d65d95a3016)
--   [Don't use LT2P IPSec, use other protocols.](https://gist.github.com/kennwhite/1f3bc4d889b02b35d8aa)
--   [Free VPN App Investigation](https://www.top10vpn.com/free-vpn-app-investigation/)
--   [Hidden VPN owners unveiled: 101 VPN products run by just 23 companies](https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-23-companies/)
--   [This Chinese company is secretly behind 24 popular apps seeking dangerous permissions](https://vpnpro.com/blog/chinese-company-secretly-behind-popular-apps-seeking-dangerous-permissions/)
+- [The Trouble with VPN and Privacy Review Sites](https://medium.com/privacyguides/the-trouble-with-vpn-and-privacy-review-sites-ae9b29eda8fd)
+- [Proxy.sh VPN Provider Sniffed Server Traffic to Catch Hacker](https://torrentfreak.com/proxy-sh-vpn-provider-monitored-traffic-to-catch-hacker-130930/)
+- [blackVPN announced to delete connection logs after disconnection](https://medium.com/@blackVPN/no-logs-6d65d95a3016)
+- [Don't use LT2P IPSec, use other protocols.](https://gist.github.com/kennwhite/1f3bc4d889b02b35d8aa)
+- [Free VPN App Investigation](https://www.top10vpn.com/free-vpn-app-investigation/)
+- [Hidden VPN owners unveiled: 101 VPN products run by just 23 companies](https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-23-companies/)
+- [This Chinese company is secretly behind 24 popular apps seeking dangerous permissions](https://vpnpro.com/blog/chinese-company-secretly-behind-popular-apps-seeking-dangerous-permissions/)
 
-## VPN Related breaches - why external auditing is important!
+## VPN Related breaches - why external auditing is important
 
--   ["Zero logs" VPN exposes millions of logs including user passwords, claims data is anonymous](https://www.comparitech.com/blog/vpn-privacy/ufo-vpn-data-exposure/) July 2020
--   [NordVPN HTTP POST bug exposed customer information, no authentication required](https://www.zdnet.com/article/nordvpn-http-post-bug-exposed-sensitive-customer-information/) March 2020
--   [Row erupts over who to blame after NordVPN says: One of our servers was hacked via remote management tool](https://www.theregister.com/2019/10/21/nordvpn_security_issue/) October 2019
--   [VPN servers seized by Ukrainian authorities weren't encrypted and allowed authorities to impersonate Windscribe servers and capture and decrypt traffic passing through them](https://arstechnica.com/gadgets/2021/07/vpn-servers-seized-by-ukrainian-authorities-werent-encrypted/) July 2021
+- ["Zero logs" VPN exposes millions of logs including user passwords, claims data is anonymous](https://www.comparitech.com/blog/vpn-privacy/ufo-vpn-data-exposure/) July 2020
+- [NordVPN HTTP POST bug exposed customer information, no authentication required](https://www.zdnet.com/article/nordvpn-http-post-bug-exposed-sensitive-customer-information/) March 2020
+- [Row erupts over who to blame after NordVPN says: One of our servers was hacked via remote management tool](https://www.theregister.com/2019/10/21/nordvpn_security_issue/) October 2019
+- [VPN servers seized by Ukrainian authorities weren't encrypted and allowed authorities to impersonate Windscribe servers and capture and decrypt traffic passing through them](https://arstechnica.com/gadgets/2021/07/vpn-servers-seized-by-ukrainian-authorities-werent-encrypted/) July 2021