mirror of
https://github.com/privacyguides/privacyguides.org.git
synced 2024-12-21 21:55:26 -05:00
Move files into basics dir (#1236)
This commit is contained in:
parent
72fe29ef70
commit
d2d73c63c4
@ -216,7 +216,7 @@ Auditor performs attestation and intrusion detection by:
|
||||
|
||||
No personally identifiable information is submitted to the attestation service. We recommend that you sign up with an anonymous account and enable remote attestation for continuous monitoring.
|
||||
|
||||
If your [threat model](threat-modeling.md) requires privacy you could consider using Orbot or a VPN to hide your IP address from the attestation service.
|
||||
If your [threat model](basics/threat-modeling.md) requires privacy you could consider using Orbot or a VPN to hide your IP address from the attestation service.
|
||||
To make sure that your hardware and operating system is genuine, [perform local attestation](https://grapheneos.org/install/web#verifying-installation) immediately after the device has been installed and prior to any internet connection.
|
||||
|
||||
### Secure Camera
|
||||
@ -299,8 +299,6 @@ The Google Play Store requires a Google account to login which is not great for
|
||||
|
||||
F-Droid is often recommended as an alternative to Google Play, particularly in the privacy community. The option to add third party repositories and not be confined to Google's walled garden has led to its popularity. F-Droid additionally has [reproducible builds](https://f-droid.org/en/docs/Reproducible_Builds/) for some applications, and is dedicated to free and open source software. However, there are problems with the official F-Droid client, their quality control, and how they build, sign and deliver packages, outlined in this [post](https://wonderfall.dev/fdroid-issues/).
|
||||
|
||||
*[walled garden]: A walled garden (or closed platform) is one in which the service provider has control over applications, content, and/or media, and restricts convenient access to non-approved applicants or content.
|
||||
|
||||
Sometimes the official F-Droid repository may fall behind on updates. F-Droid maintainers reuse package IDs while signing apps with their own keys, which is not ideal as it does give the F-Droid team ultimate trust. The Google Play version of some apps may contain unwanted telemetry or lack features that are available in the F-Droid version.
|
||||
|
||||
We have these general tips:
|
||||
@ -309,7 +307,7 @@ We have these general tips:
|
||||
- Check if an app is available on the [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) repository. The IzzyOnDroid repository pulls builds directly from GitHub and is the next best thing to the developers' own repositories. We recommend that you download the GitHub builds and install them manually first, then use IzzyOnDroid for any subsequent updates. This will ensure that the signature of the applications you get from IzzyOnDroid matches that of the developer and the packages have not been tampered with.
|
||||
- Check if there are any differences between the F-Droid version and the Google Play Store version. Some applications like [IVPN](https://www.ivpn.net/) do not include certain features (eg [AntiTracker](https://www.ivpn.net/knowledgebase/general/antitracker-faq/)) in their Google Play Store build out of fear of censorship by Google.
|
||||
|
||||
Evaluate whether the additional features in the F-Droid build are worth the slower updates. Also think about whether faster updates from the Google Play Store are worth the potential privacy issues in your [threat model](threat-modeling.md).
|
||||
Evaluate whether the additional features in the F-Droid build are worth the slower updates. Also think about whether faster updates from the Google Play Store are worth the potential privacy issues in your [threat model](basics/threat-modeling.md).
|
||||
|
||||
#### Neo Store
|
||||
|
||||
|
@ -82,11 +82,11 @@ If you are using a device with Google services, either your stock operating syst
|
||||
|
||||
### Advanced Protection Program
|
||||
|
||||
If you have a Google account we suggest enrolling in the [Advanced Protection Program](https://landing.google.com/advancedprotection/). It is available at no cost to anyone with two or more hardware security keys with [FIDO](../security/multi-factor-authentication.md#fido-fast-identity-online) support.
|
||||
If you have a Google account we suggest enrolling in the [Advanced Protection Program](https://landing.google.com/advancedprotection/). It is available at no cost to anyone with two or more hardware security keys with [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) support.
|
||||
|
||||
The Advanced Protection Program provides enhanced threat monitoring and enables:
|
||||
|
||||
- Stricter two factor authentication; e.g. that [FIDO](/security/multi-factor-authentication/#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](/security/multi-factor-authentication/#sms-or-email-mfa), [TOTP](/security/multi-factor-authentication.md#time-based-one-time-password-totp), and [OAuth](https://en.wikipedia.org/wiki/OAuth)
|
||||
- Stricter two factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp), and [OAuth](https://en.wikipedia.org/wiki/OAuth)
|
||||
- Only Google and verified third party apps can access account data
|
||||
- Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts
|
||||
- Stricter [safe browser scanning](https://www.google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome
|
||||
|
@ -109,7 +109,7 @@ We can see the [connection establishment](https://en.wikipedia.org/wiki/Transmis
|
||||
|
||||
## Why **shouldn't** I use encrypted DNS?
|
||||
|
||||
In locations where there is internet filtering (or censorship), visiting forbidden resources may have its own consequences which you should consider in your [threat model](../threat-modeling.md). We do **not** suggest the use of encrypted DNS for this purpose. Use [Tor](https://torproject.org) or a [VPN](../vpn.md) instead. If you're using a VPN, you should use your VPN's DNS servers. When using a VPN, you are already trusting them with all your network activity.
|
||||
In locations where there is internet filtering (or censorship), visiting forbidden resources may have its own consequences which you should consider in your [threat model](threat-modeling.md). We do **not** suggest the use of encrypted DNS for this purpose. Use [Tor](https://torproject.org) or a [VPN](../vpn.md) instead. If you're using a VPN, you should use your VPN's DNS servers. When using a VPN, you are already trusting them with all your network activity.
|
||||
|
||||
When we do a DNS lookup, it's generally because we want to access a resource. Below, we will discuss some of the methods that may disclose your browsing activities even when using encrypted DNS:
|
||||
|
@ -49,7 +49,7 @@ When self hosting Nextcloud, you should also enable E2EE to protect against your
|
||||
|
||||
Proton Drive is currently in beta and only is only available through a web client.
|
||||
|
||||
When using a web client, you are placing trust in the server to send you proper JavaScript code to derive the decryption key and authentication token locally in your browser. A compromised server can send you malicious JavaScript code to steal your master password and decrypt your data. If this does not fit your [threat model](threat-modeling.md), consider using an alternative.
|
||||
When using a web client, you are placing trust in the server to send you proper JavaScript code to derive the decryption key and authentication token locally in your browser. A compromised server can send you malicious JavaScript code to steal your master password and decrypt your data. If this does not fit your [threat model](basics/threat-modeling.md), consider using an alternative.
|
||||
|
||||
## Cryptee
|
||||
|
||||
|
@ -7,7 +7,7 @@ icon: material/dns
|
||||
|
||||
Encrypted DNS with third party servers should only be used to get around basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences. Encrypted DNS will not help you hide any of your browsing activity.
|
||||
|
||||
[Learn more about DNS](technology/dns.md){ .md-button }
|
||||
[Learn more about DNS](basics/dns.md){ .md-button }
|
||||
|
||||
## Recommended Providers
|
||||
|
||||
@ -28,10 +28,10 @@ icon: material/dns
|
||||
|
||||
The criteria for the servers listed above are:
|
||||
|
||||
- Must support [DNSSEC](technology/dns.md#what-is-dnssec-and-when-is-it-used)
|
||||
- Must support [DNSSEC](basics/dns.md#what-is-dnssec)
|
||||
- Must have [anycast](https://en.wikipedia.org/wiki/Anycast#Addressing_methods) support
|
||||
- [QNAME Minimization](technology/dns.md#what-is-qname-minimization)
|
||||
- Allow for [ECS](technology/dns.md#what-is-edns-client-subnet-ecs) to be disabled
|
||||
- [QNAME Minimization](basics/dns.md#what-is-qname-minimization)
|
||||
- Allow for [ECS](basics/dns.md#what-is-edns-client-subnet-ecs) to be disabled
|
||||
|
||||
## Native Operating System Support
|
||||
|
||||
@ -73,7 +73,7 @@ Select **Settings** → **Network & Internet** → **Ethernet or WiFi**, &
|
||||
|
||||
## Encrypted DNS Proxies
|
||||
|
||||
Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](technology/dns.md#unencrypted-dns) resolver to forward to. Typically it is used on platforms that don't natively support [encrypted DNS](technology/dns.md#what-is-encrypted-dns).
|
||||
Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](basics/dns.md#unencrypted-dns) resolver to forward to. Typically it is used on platforms that don't natively support [encrypted DNS](basics/dns.md#what-is-encrypted-dns).
|
||||
|
||||
### RethinkDNS
|
||||
|
||||
@ -82,7 +82,7 @@ Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](te
|
||||
![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ align=right }
|
||||
![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ align=right }
|
||||
|
||||
**RethinkDNS** is an open-source Android client supporting [DNS-over-HTTPS](technology/dns.md#dns-over-https-doh), [DNS-over-TLS](technology/dns.md#dns-over-tls-dot), [DNSCrypt](technology/dns.md#dnscrypt) and DNS Proxy along with caching DNS responses, locally logging DNS queries and can be used as a firewall too.
|
||||
**RethinkDNS** is an open-source Android client supporting [DNS-over-HTTPS](basics/dns.md#dns-over-https-doh), [DNS-over-TLS](basics/dns.md#dns-over-tls-dot), [DNSCrypt](basics/dns.md#dnscrypt) and DNS Proxy along with caching DNS responses, locally logging DNS queries and can be used as a firewall too.
|
||||
|
||||
[Website](https://rethinkdns.com){ .md-button .md-button--primary } [Privacy Policy](https://rethinkdns.com/privacy){ .md-button }
|
||||
|
||||
@ -98,7 +98,7 @@ Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](te
|
||||
|
||||
![DNSCloak logo](assets/img/ios/dnscloak.png){ align=right }
|
||||
|
||||
**DNSCloak** is an open-source iOS client supporting [DNS-over-HTTPS](technology/dns.md#dns-over-https-doh), [DNSCrypt](technology/dns.md#dnscrypt), and [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy/wiki) options such as caching DNS responses, locally logging DNS queries, and custom block lists. You can [add custom resolvers by DNS stamp](https://medium.com/privacyguides/adding-custom-dns-over-https-resolvers-to-dnscloak-20ff5845f4b5).
|
||||
**DNSCloak** is an open-source iOS client supporting [DNS-over-HTTPS](basics/dns.md#dns-over-https-doh), [DNSCrypt](basics/dns.md#dnscrypt), and [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy/wiki) options such as caching DNS responses, locally logging DNS queries, and custom block lists. You can [add custom resolvers by DNS stamp](https://medium.com/privacyguides/adding-custom-dns-over-https-resolvers-to-dnscloak-20ff5845f4b5).
|
||||
|
||||
[Project Info](https://github.com/s-s/dnscloak/blob/master/README.md){ .md-button .md-button--primary } [Privacy Policy](https://drive.google.com/file/d/1050No_pU74CAWUS5-BwQWyO2x_aiMzWc/view){ .md-button }
|
||||
|
||||
@ -113,14 +113,14 @@ Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](te
|
||||
|
||||
![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ align=right }
|
||||
|
||||
**dnscrypt-proxy** is a DNS proxy with support for [DNSCrypt](technology/dns.md#dnscrypt), [DNS-over-HTTPS](technology/dns.md#dns-over-https-doh), and [Anonymized DNS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS).
|
||||
**dnscrypt-proxy** is a DNS proxy with support for [DNSCrypt](basics/dns.md#dnscrypt), [DNS-over-HTTPS](basics/dns.md#dns-over-https-doh), and [Anonymized DNS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS).
|
||||
|
||||
!!! warning "The anonymized DNS feature does [**not**](technology/dns.md#why-shouldnt-i-use-encrypted-dns) anonymize other network traffic."
|
||||
!!! warning "The anonymized DNS feature does [**not**](basics/dns.md#why-shouldnt-i-use-encrypted-dns) anonymize other network traffic."
|
||||
|
||||
[Wiki](https://github.com/DNSCrypt/dnscrypt-proxy/wiki){ .md-button .md-button--primary } [Privacy Policy](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .md-button }
|
||||
|
||||
??? downloads
|
||||
|
||||
|
||||
- [:fontawesome-brands-windows: Windows](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-Windows)
|
||||
- [:fontawesome-brands-apple: macOS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-macOS)
|
||||
- [:fontawesome-brands-linux: Linux](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux)
|
||||
|
@ -26,7 +26,7 @@ Trying to protect all your data from everyone all the time is impractical, expen
|
||||
|
||||
==This process of identifying threats and defining countermeasures is called **threat modeling**==, and it forms the basis of every good security and privacy plan.
|
||||
|
||||
[:material-book-outline: Learn More About Threat Modeling](threat-modeling.md){ .md-button .md-button--primary }
|
||||
[:material-book-outline: Learn More About Threat Modeling](basics/threat-modeling.md){ .md-button .md-button--primary }
|
||||
</div>
|
||||
</div>
|
||||
|
||||
|
@ -170,7 +170,7 @@ There isn’t much point in randomizing the MAC address for Ethernet connections
|
||||
|
||||
### Other Identifiers
|
||||
|
||||
There are other system identifiers which you may wish to be careful about. You should give this some thought to see if it applies to your [threat model](threat-modeling.md):
|
||||
There are other system identifiers which you may wish to be careful about. You should give this some thought to see if it applies to your [threat model](basics/threat-modeling.md):
|
||||
|
||||
- **Hostnames:** Your system's hostname is shared with the networks you connect to. You should avoid including identifying terms like your name or operating system in your hostname, instead sticking to generic terms or random strings.
|
||||
- **Usernames:** Similarly, your username is used in a variety of ways across your system. Consider using generic terms like "user" rather than your actual name.
|
||||
|
@ -10,7 +10,7 @@ icon: 'material/two-factor-authentication'
|
||||
|
||||
![YubiKeys](assets/img/multi-factor-authentication/yubikey.png)
|
||||
|
||||
The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](security/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](security/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP/), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
|
||||
The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP/), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
|
||||
|
||||
One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://www.yubico.com/quiz/) before purchasing in order to make sure you make the right choice.
|
||||
|
||||
@ -31,7 +31,7 @@ For models which support HOTP and TOTP, there are 2 slots in the OTP interface w
|
||||
|
||||
![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right }
|
||||
|
||||
**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](security/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
|
||||
**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
|
||||
|
||||
[Website](https://www.nitrokey.com){ .md-button .md-button--primary } [Privacy Policy](https://www.nitrokey.com/data-privacy-policy){ .md-button }
|
||||
|
||||
|
@ -8,7 +8,7 @@ Stay safe and secure online with an encrypted and open-source password manager.
|
||||
|
||||
- Always use unique passwords. Don't make yourself a victim of "[credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing)".
|
||||
- Store an exported backup of your passwords in an [encrypted container](encryption.md) on another storage device. This can be useful if something happens to your device or the service you are using.
|
||||
- If possible, store TOTP tokens in a separate [TOTP app](security/multi-factor-authentication.md#authenticator-apps) and not your password manager. TOTP codes are generated from a "[shared secret](https://en.wikipedia.org/wiki/Time-based_one-time_password#Security)". If the secret is obtained by an adversary they can generate TOTP values. Typically, mobile platforms have better app isolation and more secure methods for storing sensitive credentials.
|
||||
- If possible, store TOTP tokens in a separate [TOTP app](basics/multi-factor-authentication.md#authenticator-apps) and not your password manager. TOTP codes are generated from a "[shared secret](https://en.wikipedia.org/wiki/Time-based_one-time_password#Security)". If the secret is obtained by an adversary they can generate TOTP values. Typically, mobile platforms have better app isolation and more secure methods for storing sensitive credentials.
|
||||
|
||||
## Local Password Managers
|
||||
|
||||
|
@ -60,7 +60,7 @@ Profile pictures, reactions, and nicknames are not encrypted.
|
||||
|
||||
Group voice and video calls are [not](https://github.com/vector-im/element-web/issues/12878) E2EE, and use Jitsi, but this is expected to change with [Native Group VoIP Signalling](https://github.com/matrix-org/matrix-doc/pull/3401). Group calls have [no authentication](https://github.com/vector-im/element-web/issues/13074) currently, meaning that non room participants can also join the calls. We recommend that you do not use this feature for private meetings.
|
||||
|
||||
When using [element-web](https://github.com/vector-im/element-web), you must trust the server hosting the Element client. If your [threat model](threat-modeling.md) requires stronger protection, then use a desktop or mobile client instead.
|
||||
When using [element-web](https://github.com/vector-im/element-web), you must trust the server hosting the Element client. If your [threat model](basics/threat-modeling.md) requires stronger protection, then use a desktop or mobile client instead.
|
||||
|
||||
The protocol was independently [audited](https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last) in 2016. The specification for the Matrix protocol can be found in their [documentation](https://spec.matrix.org/latest/). The [Olm](https://matrix.org/docs/projects/other/olm) cryptographic ratchet used by Matrix is an implementation of Signal’s [Double Ratchet algorithm](https://signal.org/docs/specifications/doubleratchet/).
|
||||
|
||||
|
@ -28,7 +28,7 @@ The primary threat when using a video streaming platform is that your streaming
|
||||
|
||||
!!! Warning
|
||||
|
||||
When using FreeTube, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io), or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](threat-modeling.md) requires hiding your IP address.
|
||||
When using FreeTube, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io), or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address.
|
||||
|
||||
### LBRY
|
||||
|
||||
@ -55,7 +55,7 @@ The primary threat when using a video streaming platform is that your streaming
|
||||
|
||||
!!! warning
|
||||
|
||||
While watching and hosting videos, your IP address is visible to the LBRY network. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](threat-modeling) requires hiding your IP address.
|
||||
While watching and hosting videos, your IP address is visible to the LBRY network. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address.
|
||||
|
||||
We recommend **against** synchronizing your wallet with LBRY Inc., as synchronizing encrypted wallets is not supported yet. If you synchronize your wallet with LBRY Inc., you have to trust them to not look at your subscription list, [LBC](https://lbry.com/faq/earn-credits) funds, or take control of your channel.
|
||||
|
||||
|
@ -73,3 +73,4 @@
|
||||
*[cgroups]: Control Groups
|
||||
*[fork]: In software development, a fork is created when developers take a copy of source code from one software package and start independent development on it, creating a distinct and separate piece of software.
|
||||
*[rolling release]: An update release cycle in which updates are released very frequently, instead of at set intervals.
|
||||
*[walled garden]: A walled garden (or closed platform) is one in which the service provider has control over applications, content, and/or media, and restricts convenient access to non-approved applicants or content.
|
||||
|
@ -139,10 +139,10 @@ nav:
|
||||
- Home: 'index.md'
|
||||
- 'Knowledge Base':
|
||||
- 'The Basics':
|
||||
- 'threat-modeling.md'
|
||||
- 'technology/dns.md'
|
||||
- 'security/multi-factor-authentication.md'
|
||||
- 'security/account-deletion.md'
|
||||
- 'basics/threat-modeling.md'
|
||||
- 'basics/dns.md'
|
||||
- 'basics/multi-factor-authentication.md'
|
||||
- 'basics/account-deletion.md'
|
||||
- 'Android':
|
||||
- 'android/overview.md'
|
||||
- 'android/grapheneos-vs-calyxos.md'
|
||||
|
Loading…
Reference in New Issue
Block a user