Privacy and Security
There is a lot of information regarding digital privacy and security including a lot of misinformation which ignore best practices, promote insecure products or products with no real privacy benefit, and even spread misinformation and conspiracy theories about "big tech". This guide aims to provide real privacy and security.
You should start by creating a threat model. For most people, this would be to protect your passwords and other sensitive information from hackers and malware. Having privacy and security does come at the cost of convenience, so you should balance these two things. Between privacy and security, most people should prioritize the latter over the former because it's impossible to have privacy without security.
Most people need not worry about open source and closed source software. Despite common belief, open source software has no security benefits compared to closed source and is simply just another release model. Lots of proprietary software is actually more secure than their open source counterparts (e.g. Windows and macOS are more secure than Linux, Chrome is more secure than Firefox, Bitlocker is more secure than Veracrypt, and Microsoft Office is more secure than LibreOffice).
Reading Material: https://privsec.dev/knowledge/threat-modeling/ https://www.privacyguides.org/basics/threat-modeling/ https://www.privacyguides.org/basics/common-threats/ https://seirdy.one/2022/02/02/floss-security.html
Mobile Operating Systems
Most people should use their phones and avoid Desktops when possible because phones are far more secure than desktops as they were designed with strong sandboxing, per-app hardware permissions, modern exploit mitigations, verified boot, and more.
Google Pixel phones are the only phones you should buy as they are the only secure phones. They have full verified boot, use the custom Titan M2 chip, and more. Do not even think about buying a different phone (except maybe an iPhone).
Reading Material: https://source.android.com/security/features https://source.android.com/security https://privsec.dev/os/android-tips/ https://madaidans-insecurities.github.io/android.html https://madaidans-insecurities.github.io/linux-phones.html https://support.google.com/android/answer/7663172?hl=en&visit_id=637368692303073503-4208188940&rd=1 https://wonderfall.dev/fdroid-issues/
GrapheneOS is a privacy and security focused mobile OS with Android app compatibility developed as a non-profit open source project. It's focused on the research and development of privacy and security technology including substantial improvements to sandboxing, exploit mitigations and the permission model. GrapheneOS also develops various apps and services with a focus on privacy and security. Vanadium is a hardened variant of the Chromium browser and WebView specifically built for GrapheneOS. GrapheneOS also includes our minimal security-focused PDF Viewer, our hardware-based Auditor app / attestation service providing local and remote verification of devices, and the externally developed Seedvault encrypted backup which was initially developed for inclusion in GrapheneOS.
GrapheneOS improves the privacy and security of the OS from the bottom up. It deploys technologies to mitigate whole classes of vulnerabilities and make exploiting the most common sources of vulnerabilities substantially more difficult. It improves the security of both the OS and the apps running on it. The app sandbox and other security boundaries are fortified. GrapheneOS tries to avoid impacting the user experience with the privacy and security features. Ideally, the features can be designed so that they're always enabled with no impact on the user experience and no additional complexity like configuration options. It's not always feasible, and GrapheneOS does add various toggles for features like the Network permission, Sensors permission, restrictions when the device is locked (USB peripherals, camera, quick tiles), etc. along with more complex user-facing privacy and security features with their own UX.
GrapheneOS will never include either Google Play services or another implementation of Google services like microG. Those are not included in the Android Open Source Project and are not required for baseline Android compatibility.
Android is an operating system for mobile devices such as smartphones and tablet computers. It consists of a kernel based on the Linux kernel, with middleware, libraries and APIs written in C and application software running on an application framework which includes Java-compatible libraries based on Apache Harmony.
Android has a large community of developers writing applications ("apps") that extend the functionality of the devices. Developers write primarily in a customized version of Java.
Apps can be downloaded from third-party sites or through online stores such as Google Play Store , the app store run by Google.
Desktop Operating Systems
Desktops were not designed with security in mind. However, some operating systems including Windows 11, macOS, and ChromeOS are less bad at this. Most people should avoid using desktops when possible and use their phones instead.
Linux by default is not secure and requires a lot of hardening and constant maintenance in order to use safely. For this reason, Linux should only be used by professionals and system administrators that understand the risks of using it and are willing to dedicate a lot of time into hardening and maintaining their system.
Reading Material: https://madaidans-insecurities.github.io/linux.html https://privsec.dev/os/linux-insecurities https://privsec.dev/os/desktop-linux-hardening/ https://github.com/beerisgood/Windows11_Hardening https://github.com/beerisgood/macOS_Hardening
Windows 11 provides a calm and creative space where you can pursue your passions through a fresh experience. From a rejuvenated Start menu to new ways to connect to your favorite people, news, games, and content—Windows 11 is the place to think, express, and create in a natural way.
macOS is a Unix-based operating system, developed and marketed by Apple Inc. It is designed to run on Macintosh computers, having been pre-installed on all Macs since 2002. Within the market of home computers, and by web usage, macOS is the second most widely used desktop OS after Windows.
macOS Ventura makes the things you do most on Mac even better, with big updates to the apps you use everyday including Mail, Messages, and Safari. You can use your iPhone as a webcam for your Mac with Continuity Camera. There's also an entirely new way to automatically organize your windows with Stage Manager. And when you upgrade, you get the latest security and privacy protections for your Mac.
Qubes is an open source operating system designed to provide strong security for desktop computing.
Qubes takes an approach called security by compartmentalization, which allows you to compartmentalize the various parts of your digital life into securely isolated compartments called qubes.
This approach allows you to keep the different things you do on your computer securely separated from each other in isolated qubes so that one qube getting compromised won’t affect the others. For example, you might have one qube for visiting untrusted websites and a different qube for doing online banking. This way, if your untrusted browsing qube gets compromised by a malware-laden website, your online banking activities won’t be at risk. Similarly, if you’re concerned about malicious email attachments, Qubes can make it so that every attachment gets opened in its own single-use disposable qube. In this way, Qubes allows you to do everything on the same physical computer without having to worry about a single successful cyberattack taking down your entire digital life in one fell swoop.
Whonix is a desktop operating system designed for advanced security and privacy. Whonix mitigates the threat of common attack vectors while maintaining usability. Online anonymity is realized via fail-safe, automatic, and desktop-wide use of the Tor network. A heavily reconfigured Debian base is run inside multiple virtual machines, providing a substantial layer of protection from malware and IP address leaks. Commonly used applications are pre-installed and safely pre-configured for immediate use. The user is not jeopardized by installing additional applications or personalizing the desktop. Whonix is under active development and is the only operating system designed to be run inside a VM and paired with Tor.
Based on Tor Whonix utilizes Tor's free software, which provides an open and distributed relay network to defend against network surveillance.
Isolation Connections through Tor are enforced. DNS leaks are impossible, and even malware with root privileges cannot discover the user's real IP address.
Compatibility Whonix is available for all major operating systems. Most commonly used applications are compatible with the Whonix design.
Browsers
Use Chromium browsers only (the only exception being Tor Browser as it is required to safely access the Tor network). Chromium browsers provide the strongest sandboxing and exploit mitigations. Site isolation is a feature in Chromium and Firefox browsers that separates each website into an isolated sandbox so that websites can't access eachother's data or resources.
You should never install any browser extensions. Browser extensions have privileged access in your browser requiring you to trust the developer. They also make you stand out thus reducing privacy. Adblocking is a form of enumerating badness and not a viable approach to blocking tracking. Google Chrome and Microsoft Edge will enforce Manifest V3 and end support for Manifest V2, which is good for privacy as it restricts what Adblockers can do.
The sane approach to preventing browser tracking would be to use a VPN to hide your IP address and mitigating fingerprinting by using a common browser with no browser extensions on a common operating system. Block third-party cookies to prevent cross-site tracking and clear cookies and site data on exit to prevent persistent tracking. If you wish to have privacy from Google, you can disable telemetry in chrome://settings.
Reading Material: https://madaidans-insecurities.github.io/firefox-chromium.html https://grapheneos.org/usage#web-browsing https://www.ranum.com/security/computer_security/editorials/dumb/ https://fingerprint.com/blog/disabling-javascript-wont-stop-fingerprinting/
A free web browser developed by Google from the open source Chromium project with a focus on speed and minimalism. Chrome offers fast start-up and web page loading, supports a minimalist user interface, automatically updates in the background, and offers syncing of browser bookmarks, extensions, passwords, and history between multiple computers by your Google account.
Additionally, Chrome has PDF support built into the browser for better speed and security.
Chrome Web Apps and Extensions are available on Chrome Web Store .
Available in more than 50 languages.
Rebuilt from the ground up using Chromium, the new Microsoft Edge brings you world-class compatibility and performance, the security and privacy you deserve, and new features designed to bring you the best of the web.
FEATURES
- Available on all supported versions of Windows, macOS, iOS, and Android.
- News, images, search—choose what you want to see when you open a new tab. Select a layout best for you: Focused, Inspirational, or Informational.
- Integrated with Office 365, Collections makes it easier than ever to collect, organize, share, and export web content to Word or Excel.
- Compatible with your favorite extensions, so it’s easy to personalize your browsing experience. You now can even use Chrome Web Apps and Extensions, available on Chrome Web Store.
- Microsoft Edge and Bing give you more control over your data, and more transparency into what information is being collected, while you browse with new features like Tracking Prevention and InPrivate mode.
- Microsoft Defender SmartScreen automatically protects you online from security issues, phishing schemes, and malicious software.
The Tor software protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, it prevents the sites you visit from learning your physical location, and it lets you access sites which are blocked.
The Tor Browser lets you use Tor on Windows, Mac OS X, or Linux without needing to install any software. It can run off a USB flash drive, comes with a pre-configured web browser to protect your anonymity, and is self-contained.
Search Engines
Google's search index has better filtering and spam protection to prevent users from clicking on malicious URLs. For this reason, it's advised to use a search engine which primarily uses Google results. You should not use SearX or SearXNG.
Reading Material: https://discuss.privacyguides.org/t/remove-searxng/124
Brave Search is built on top of a completely independent index, and doesn’t track users, their searches, or their clicks.
Brave Search is available in beta release globally on all Brave browsers (desktop, Android, and iOS) as one of the search options alongside other search engines, and will become the default search in the Brave browser later. It is also available from any other browser.
Brave Search is different from other search engines because it uses its own index and follows different principles:
- Privacy: no tracking or profiling of users.
- User-first: the user comes first, not the advertising and data industries.
- Independence: Brave has its own search index for answering common queries privately without reliance on other providers.
- Choice: soon, options for ad-free paid search and ad-supported search. (Sometime in early 2022, Brave Search results will include paid ads (delivered, of course, in a way that protects privacy). Users with a Brave Search Premium subscription will see ad-free search results)
- Transparency: no secret methods or algorithms to bias results, and soon, community-curated open ranking models to ensure diversity and prevent algorithmic biases and outright censorship.
- Seamlessness: best-in-class integration between the browser and search without compromising privacy, from personalization to instant results as the user types.
- Openness: Brave Search will soon be available to power other search engines.
Brave Search uses its own index, but also ensures fully anonymous search, is transparent in how search results are ranked, and integrates with a privacy-preserving browser on desktop and mobile – an across-the-board combination of independence and privacy which no other provider offers.
Brave Search is also introducing the industry’s first search independence metric, displaying the ratio of results coming exclusively from Brave’s index. It is derived privately using the user’s browser as we do not build user profiles. Users can check this aggregate metric to verify the independence of their results and see how results are powered by our own index, or if third-parties are being used.
Why did we create Startpage.com?
As kids, we’re all taught not to touch stuff that doesn’t belong to us. It’s a good guideline. So why are online companies harvesting our personal data without our consent? They shouldn’t. That’s why we’re developing online tools that help you stay in control of your personal information. Search is done. Expect other private versions of common digital services soon. Why? Because it’s our belief that personal data should be your data, not Big Data. Period.
How we made search private
You can’t beat Google when it comes to online search. So we’re paying them to use their brilliant search results in order to remove all trackers and logs. The result: The world’s best and most private search engine. Only now you can search without ads following you around, recommending products you’ve already bought. And no more data mining by companies with dubious intentions. We want you to dance like nobody’s watching and search like nobody’s watching.
No personal data storage
We don’t collect or share your personal information. Ever. There’s literally no data about you on our servers. None. We can’t profile you, and we can’t be forced to hand over your data to authorities, simply because we don’t have any data to hand over.
Anonymous View
Clicking search results means leaving the protection of Startpage.com. This could lead to a barrage of cookies being installed on your device. That’s why we developed the "Anonymous View" feature. With "Anonymous View" you can visit search results in full privacy, and keep on browsing: They’ll never know you were there. You’ll find the feature next to every search result.
No filter bubble
Other search engines use your search habits to serve you results they think you want, essentially trapping you in an echo chamber of results. With Startpage.com, you break through the filter bubble to see a wider variety of results.
Messaging Apps
If possible, you should convince your friends and family to use a more secure messaging app instead of SMS, iMessage, or WhatsApp. If you are unable to switch to a more secure messenger, you should use your phone's default SMS app.
Reading Material: https://www.securemessagingapps.com/ https://www.privacyguides.org/real-time-communication/communication-network-types/ https://www.privacyguides.org/real-time-communication/signal-configuration-hardening/
Using Signal, you can communicate instantly with your relatives without making a compromise on privacy or security. Make video calls, send messages, pictures, videos, documents, voice recordings, GIFs, contacts & location, create groups so that you can chat in real time with all your friends at once and react to their messages with emojis -all with complete privacy-. Signal servers never have access to any of your communications and never store any of your data.
- Say Anything - Share text, voice messages, photos, videos, GIFs and files for free. Signal uses your phone's data connection so you can avoid SMS (No longer supports SMS or MMS) and MMS fees.
- Speak Freely - Make crystal-clear voice and video calls to people who live across town, or across the ocean, with no long-distance charges.
- Make Privacy Stick - Add a new layer of expression to your conversations with encrypted stickers. You can also create and share your own sticker packs.
- Get Together with Groups - Group chats make it easy to stay connected to your family, friends, and coworkers.
- No ads. No trackers. No kidding. - There are no ads, no affiliate marketers, and no creepy tracking in Signal. So focus on sharing the moments that matter with the people who matter to you.
- Remain Connected - Push notifications let you know when new messages have arrived, and they'll be waiting for you even if your battery dies or you temporarily lose service.
- View Source - All of our code is free, open, and available on GitHub (https://github.com/signalapp).
- Join Movements - Technology developed by Open Whisper Systems is trusted and used by millions of people around the world every day.
Email Services
Email was not designed with privacy or security in mind and should only be used when required (such as registration for websites). It's a good idea to use webmail instead of a third-party mail client since websites in a browser are much less privileged than native apps and have less attack surface. However, webmail may contain ads and malicious JavaScript, so using a mail client that supports OAuth (such as Windows Mail or Apple Mail) may be better for some threat models.
Reading Material: https://latacora.singles/2020/02/19/stop-using-encrypted.html https://latacora.micro.blog/2019/07/16/the-pgp-problem.html https://improsec.com/tech-blog/email-security-pitfalls https://twitter.com/DanielMicay/status/1145264664315604992 https://proton.me/blog/cryptographic-architecture-response
Secure email with absolutely no compromises, brought to you by MIT and CERN scientists.
Swiss Based ProtonMail is incorporated in Switzerland and our servers are located in Switzerland. We are outside of US and EU jurisdiction and all user data is protected by strict Swiss privacy laws.
Zero Access Because of our end-to-end encryption, your data is already encrypted by the time it reaches our servers. We have no access to your messages, and since we cannot decrypt them, we cannot share them with third parties.
Backwards Compatible ProtonMail works out of any modern web browser, there is nothing to install. We are also backwards compatible with other email providers so you can continue sending and receiving emails from friends who are not using ProtonMail.
Forever Free We believe privacy is a fundamental human right and should be available for everyone. That's why we offer multi-tiered pricing including a free version that anyone can use. Let's bring privacy back to the people!
Fully Anonymous We do not log IP addresses or require any personal information to sign up. We accept bitcoin and cash payments for paid accounts to ensure even paid account users have complete privacy.
Cross Platform ProtonMail works on all devices, including desktops, laptops, tablets, and smartphones. It's as simple as visiting our site and logging in. There are no plugins or apps to install - simply use your favorite web browser.
SimpleLogin is the open source, self-hostable solution to protect your email address using email alias: just use alias everywhere instead of your personal email address.
All emails sent to an alias are forwarded to your email inbox. And not only a SimpleLogin alias can receive emails, it can also send and reply to emails.
With our extensions on Chrome and Firefox and Safari one is coming, create quickly alias without leaving your browser tab.
Believing that anyone should be able to protect their email address for free, SimpleLogin has a generous free plan: no cap on bandwidth and infinite forwards/replies.
If you have your own domain, with powerful features like catch-all email alias, SimpleLogin could replace your email hosting solution!
VPN Services
A VPN does not add security nor does it make you anonymous. Your VPN provider can see all of your traffic and there's no way to verify that a VPN provider doesn't log. A VPN does two things: it hides your browsing activity from your ISP and it hides your true IP address from websites you visit.
Mullvad is not recommended as they do not support 2FA. Because they use an account number system in which a random number serves as both the username and password, Mullvad accounts are incredibly easy to hack.
Reading Material: https://privsec.dev/knowledge/commercial-vpn-use-cases/ https://gist.github.com/joepie91/5a9909939e6ce7d09e29 https://madaidans-insecurities.github.io/vpns.html
Security Our secure VPN sends your internet traffic through an encrypted VPN tunnel, so your passwords and confidential data stay safe, even over public or untrusted Internet connections.
Privacy Keep your browsing history private. As a Swiss VPN provider, we do not log user activity or share data with third parties. Our anonymous VPN service enables Internet without surveillance.
Freedom We created Proton VPN to protect the journalists and activists who use Proton Mail. Proton VPN breaks down the barriers of Internet censorship, allowing you to access any website or content.
Internet security for everyone Our goal is to make online privacy accessible to all. To do this, we have focused on making the advanced security technology in Proton VPN effortless to use and freely available.
Free VPN We believe privacy and security are fundamental human rights, so we also provide a free version of Proton VPN to the public. Unlike other free VPNs, there are no catches. We don't serve ads or secretly sell your browsing history. Proton VPN Free is subsidized by Proton VPN paid users. If you would like to support online privacy, please consider upgrading to a paid plan for faster speeds and more features.
Easy to Use The best security tools in the world will only protect you if used correctly and consistently. We have extensively simplified the Proton VPN interface to make it as intuitive as possible – so you can stay protected every day, hassle free.
Fast VPN Speeds A 10 Gbps server network combined with our unique suite of VPN Accelerator technologies can improve speeds by over 400%. The advanced network TCP flow control algorithm we utilize provides unparalleled performance and connection stability.
Multi-Platform Support Proton VPN is available on all your devices, including PCs, Macs, smartphones, and even routers. A secure Internet connection that you can trust is essential to maintaining your privacy on your laptop at home, your mobile device on the road, or your workstation at the office. Proton VPN has native apps for Windows, macOS, Linux, Chromebook, Android, Android TV and iOS/iPadOS.
Stream from anywhere Proton VPN unblocks a wide selection of popular online media services, allowing you to access your favorite streaming content from anywhere in the world as if you were at home. Our fast server network and unique VPN Accelerator technology also ensure your experience is smooth and buffering-free.
VPN Accelerator VPN Accelerator is a set of technologies unique to Proton VPN that can increase your VPN speeds by over 400%. By overcoming CPU limitations that affect how VPN protocols are processed, using advanced networking techniques to reduce latency, and redesigning VPN protocols themselves to reduce inefficiencies in their code, VPN Accelerator can dramatically increase speed performance.
IVPN offers a secure VPN service to privacy minded individuals including multi-hop technology and fast bandwidth. Protect your privacy now!
YOUR PRIVACY & SECURITY REQUIRES MORE THAN JUST A VPN SERVICE
We don't pretend that you can just flip a switch and enjoy complete security and peace of mind. Your privacy and security requires that you adopt a mindset that considers your online defences at many levels. You must consider fundamental questions such as "what data am I trying to protect?" and "from whom am I trying to protect it?". Which is why we publish our free privacy and security guides for novices to our most sophisticated users.
Install our exclusive IVPN software that protects against every type of known IP leak and connect to the internet without any fear of being tracked, monitored or censored. All your online activity is tied to our network IP addresses, ensuring your long-term privacy.
We've been around since 2009, far longer than most VPN services. You can rely on our hard-earned reputation for the security of our service, providing you with a privacy service you can trust.
And we don't store any logs that could compromise your privacy or anonymity.
With IVPN, your privacy and security is more than just an afterthought – it's our top priority.
Password Managers
You should always use different passwords for every website. Always generate long 32+ character passwords with a random combination of letters (uppercase and lowercase), numbers, and symbols.
1Password creates strong, unique passwords for all of your sites and logs you in with a single tap (or click).
A single click opens your browser, opens a site, fills in your username and password, and logs you in. Our Strong Password Generator is your key to password liberation. One click creates a strong, unique password for each account, and our browser extension fills it into the website automatically.
Organize your vault
Mark your most important or frequently used items for quick access and sync this list among all your devices. Drag any mix of 1Password Logins, Secure Notes, and other items into folders for work, finances, social media, or any other grouping you need. Adding tags to 1Password items is a snap; focusing on them to get things done is even easier.
Our new service keeps you informed about your security. Watchtower securely checks your logins for known vulnerabilities and tells you which sites need new passwords.
Bitwarden is the easiest and safest way to store all of your logins and passwords while conveniently keeping them synced between all of your devices.
Password theft is a serious problem. The websites and apps that you use are under attack every day. Security breaches occur and your passwords are stolen. When you reuse the same passwords across apps and websites hackers can easily access your email, bank, and other important accounts.
Security experts recommend that you use a different, randomly generated password for every account that you create. But how do you manage all those passwords? Bitwarden makes it easy for you to create, store, and access your passwords.
Bitwarden stores all of your logins in an encrypted vault that syncs across all of your devices. Since it's fully encrypted before it ever leaves your device, only you have access to your data. Not even the team at Bitwarden can read your data, even if we wanted to. Your data is sealed with AES-256 bit encryption, salted hashing, and PBKDF2 SHA-256.
Bitwarden is 100% open source software. The source code for Bitwarden is hosted on GitHub and everyone is free to review, audit, and contribute to the Bitwarden codebase.
Two-Factor Authentication
Always use 2FA on all websites. Prefer authenticator apps and hardware keys (such as Yubikey) and only use SMS or Email when no other option is available. If a website or service does not offer 2FA, do not register for it.
Reading Material: https://www.privacyguides.org/basics/multi-factor-authentication/
Encryption All of your one-time passwords are stored in a vault. If you choose to set a password, which is highly recommended, the vault will be encrypted using AES-256. If someone with malicious intent gets a hold of the vault file, it’s impossible for them to retrieve the contents without knowing the password.
Fingerprint unlock Entering your password each time you need access to a one-time password can be cumbersome. Fortunately, you can also enable fingerprint unlock if your device has a fingerprint scanner.
Compatibility Aegis supports the HOTP and TOTP algorithms. These two algorithms are industry-standard and widely supported, making Aegis compatible with thousands of services. Some examples are: Google, GitHub, Dropbox, Facebook and Instagram.
It is also compatible with Google Authenticator. Any website that shows a QR code for Google Authenticator also works with Aegis.
Groups Have a lot of one-time passwords? Add them to custom groups for easier access. Personal, Work and Social can each get their own group.
Backups To make sure you will never lose access to your online accounts Aegis Authenticator supports exporting your vault which you can import onto a new device. Aegis Authenticator also allows you to import AndOTP and FreeOTP databases so switching to Aegis is made easier for you.
Open source and license Aegis Authenticator is open source (licensed under GPL v3) and the source code can be found here: http://github.com/beemdevelopment/Aegis
Open the app in one tap, sign in with FaceID and copy your one-time password to your Mac in one tap with handoff. Using a one-time password manager has never been easier!
Features: • Backup/sync one-time passwords to iCloud. • Search through your one-time passwords in one tap. • Export your one-time passwords to encrypted ZIP archives. • Add custom icons to your one-time passwords. • Scan a QR code or add a one-time password manually. • Show both the current and previous one-time password. • Unlock Raivo OTP with FaceID, TouchID or a passcode. • Raivo OTP is native and open-source (built in Swift 5)!
Cloud Storage
Make sure your provider supports end-to-end encryption. Otherwise, use a tool like Cryptomator to encrypt your files before uploading them to the cloud.
You should have full control over your data. We help you achieve that: a safe home for all your data. Secure, under your control and developed in an open, transparent and trustworthy way. We are Nextcloud.
Nextcloud offers industry-leading on-premises file sync and online collaboration technology. Our expertise is in combining the convenience and ease of use of consumer-grade solutions like Dropbox and Google Drive with the security, privacy and control business needs.
Our self-hosted solutions ensure you know where data is, who has access, and that even meta-data does not leak.
We create three products, integrated and acting as one:
Nextcloud Files offers an on-premise Universal File Access and sync platform with powerful collaboration capabilities and desktop, mobile and web interfaces.
Nextcloud Talk delivers on-premises, private audio/video conferencing and text chat through browser and mobile interfaces with integrated screen sharing and SIP integration.
Nextcloud Groupware integrates Calendar, Contacts, Mail and other productivity features to help teams get their work done faster and easier.
Our products integrate powerful capabilities to control and monitor data exchange and communication, including our unique File Access Control and workflow features, extensive audit logs, fine-grained sharing controls and more.
Security is Nextcloud users' greatest concerns and our prime advantage over competitors. Nextcloud features a host of unique, innovative security technologies from brute force protection to advanced server side and integrated end-to-end, client side encryption with enterprise-grade key handling and a wide range of security hardenings. Our security has been reviewed by trusted third parties and is backed by a USD 5000 Security Bug Bounty Program, providing the confidence that data meant to stay private will stay private.
The safest way to store or share your files Proton Drive is an end-to-end encrypted Swiss vault for your files, ensuring that nobody except those authorized by you can access your data.
Protect your files with end-to-end encryption Proton Drive uses end-to-end encryption, which means no one else, not even Proton, can access your files. Your file content, file names, folder names, and paths are all fully encrypted. Proton Drive is open source and independently audited. Anyone can verify that our encryption works as described.
Syncing and sharing made easy Your Proton Drive is a secure vault that you can carry with you and give or revoke access to.
Free file storage Everyone has the right to privacy, which is why we make Proton Drive available for free. To access more features and support our fight for a better internet, upgrade to a paid account.
Your data, your rules With Proton Drive, you keep full control of your data. Unlike other cloud file storage services, our encryption ensures we can't access your files.
Swiss privacy Proton Drive is based in Switzerland and functions as a Swiss vault for your data. Your data is protected by some of the world's strongest privacy laws.
It works just like other file storage services, except everything is encrypted automatically. Automatic cross-device sync means all your files are available on all your devices, all the time. Easily share files with anyone with one click.
Cryptomator provides transparent, client-side encryption for your cloud. Protect your documents from unauthorized access. Cryptomator is free and open source software, so you can rest assured there are no backdoors.
Easy and Reliable
We understand simplicity as a key aspect of security. With Cryptomator you don't have to deal with accounts, key management, cloud access grants or cipher configurations. Just choose a password and you're ready to go.
You don't even need to specify what cloud you use. Cryptomator encrypts files and doesn't care where you store them. This makes it a lightweight application, which we believe is a huge benefit for reliability. Complexity would kill security.
Cryptomator is a so-called transparent encryption utility. This means that you don't have to learn new workflows. Just work with your files as you're used to.
Secure and Trustworthy
Cryptomator encrypts file contents and names using AES. Your passphrase is protected against bruteforcing attempts using scrypt. Directory structures and file sizes get obfuscated. The only thing which cannot be encrypted without breaking your cloud synchronization is the modification date of your files.
Cryptomator's desktop app is a free and open source software licensed under the MIT / X Consortium License. This allows anyone to check our code. It is impossible to introduce backdoors for third parties. Also we cannot hide vulnerabilities. And the best thing is: There is no need to trust us, as you can control us!
Vendor lock-ins are impossible. Even if we decided to stop development: The desktop source code is already cloned by hundreds of other developers. As you don't need an account, you will never stand in front of locked doors.
Other Best Practices:
- Always update without question.
- Only visit websites you know and trust and never click on a random link, even if it's from someone you trust or if it seems legitimate.
- Do not be paranoid about corporate telemetry.
- Never assume unknown developers and service providers are more trustworthy than big corporations.
- Never assume the so-called "fediverse" or other alternative platforms are more secure or privacy-respecting than Facebook.
- Stay away from "privacy-respecting" frontends such as Invidious and use the official website only. You can use a VPN to hide your IP address.
- Never leave your devices unattended.
- Never give sensitive information online if you don't have to, no matter how insignificant it may seem, and never share your passwords or private keys with anyone.
- Cover up or remove any webcams or microphones when not in use.
- Do not install and remove apps you do not need, and do not install a bunch of security software. Keep it minimal.
- Always use full-disk encryption, preferably Bitlocker on Windows and Filevault on macOS.
- Do not plug your devices into unknown ports and do not plug unknown devices into ports.
- Don't use social media.
- Only read and listen to trusted, reputable sources and security researchers like Daniel Micay and Madaidan.
- Do not attempt to access the deep web.
Reading Material: https://privsec.dev/ https://www.privacyguides.org/ https://madaidans-insecurities.github.io/security-privacy-advice.html https://github.com/beerisgood/Security-link-collection https://thenewoil.org/
Comments
I'm curious to hear your review of Comodo Dragon browser which I've been using for years.
Comodo Dragon has had major security issues in the past and it uses an outdated version of Chromium. Comodo is one of those shady companies like Avast which should be avoided.
Source: https://www.theregister.co.uk/2016/02/02/google_disses_chromodo/
I don't get it Chrome and Edge on a provacy and security list ? Why not something like brave ? The other recommandations are good but why the heck you put those two spyware ?
Because Chrome and Edge are the most secure browsers and the "spyware" can be disabled in the settings. Brave gets slower updates than Chrome and Edge which means users must deal with unpatched security vulnerabilities for days each release. Brave's adblocker is just a convenience feature and is not a substitute for timely updates. Brave also has a history of shady practices including inserting referral codes into URLs and soliciting donations.
Sources: https://web.archive.org/web/20181224011529/https://twitter.com/tomscott/status/1076160979388518407 https://twitter.com/cryptonator1337/status/1269201480105578496
Yes for security it's the best but for privacy probably not the best even hardened but it's not the worst setup either. You should provide more informations on how to harden them. (uBlock Origin, settings to change, etc...)
I do provide plenty of information on how to secure browsers. uBlock Origin is not recommended as it's a privileged extension that uses Manifest V2 which is being deprecated as it's bad for privacy and security. Adblocking in general doesn't improve privacy. It's just enumerating badness. It's impossible to create a list of every known tracker and even if you did, websites can still collect plenty of data about you and share that data with third parties so everyone gets the same information regardless.
I recommend reading Madaidan's article about why most browser tracking methods are ineffective: https://madaidans-insecurities.github.io/browser-tracking.html
Chrome Hardening: https://www.stigviewer.com/stig/google_chrome_current_windows/
Latest is based on Chromium™104.0.5112.81 which I believe to be the latest Chromium. The article cited is from 2016, and a lot has changed, but I understand having particular company dislikes. I remember loving Firefox before it was Sandboxed, only to be soon tormented. Later it did Sandboxing, but it's tough to get those days out of my mind. Times can be like that.
The latest Chromium is 106. Chrome will always be the first browser to receive security fixes which is a big thing.
I generally don't recommend using any forks of Chrome except Edge. Ungoogled Chromium weakens security by disabling CRLsets among other things. Hexavalent seemed promising until it ended development a few months ago and never got released. For now you're best off using Google Chrome or Microsoft Edge.
Reply written