First of all:
I think "privacy" and "security" should be separated into separate lists.
Ergo:

Security = To prevent hackers and unauthorized parties from accessing your data or similiar.
(Example: Using two-factor authentication falls into this category)
(Example2: Locking your door is security)

Privacy = To prevent legitimate tracking made by authorized individuals or government, or the site you are visiting for example.
(Example: Disabling third-party cookies falls into this category as cookies have no security implication, same with "protecting yourself from CCTV" and such)
(Example2: Covering your peep hole is privacy)

Second, let me go through points that I think should be changed:

"Shield your Password/PIN" --> I think CCTV Should be left out. CCTVs in trusted locations like banks, stores and such can be trusted.

"Avoid using your PM to Generate OTPs" --> Good, but then you should NOT run a separate authenticator app on your desktop either.
That gives the same security risks as using the PM to generate OTPs but with the inconvience of having 2 softwares to keep track of.
Instead, if you are afraid of someone compromising the password manager, then you should use a separate DEVICE (either a separate OTP token, or phone or separate computer) to handle your OTPs.

"Don’t use a 4-digit PIN" --> Good, but without FDE on a computer, a password is TOTALLY WORTHLESS. Its childs play to pick out the drive and plug into another computer and gain full access to all files. All it takes is a screwdriver, or not even that, a little pocket knife will suffice. Some laptops might have integrated disk drive and/or tamper-resistant screws for security - some apple laptops have this, and also certain medium-grade business laptops have this. But otherwise, dont.
Its better to not have any protection at all - and KNOW its open, than be in a false sense of security and think that windows password will protect anyone from looking at your photos.

On phone its more secure even if your phone doesn't support encryption, because you would have to desolder the flash chips to gain access.

ADD:
Email:
For self-hosted email servers, consider using IP Whitelisting for endpoints requiring login (SMTP relaying outside of hosted mailboxes, IMAP access, POP3 access).
This will prevent all password-cracking bots out there.
This will ensure a correct IP AND username AND password is required.

For some mailservers, this might require you to tell the software to append the client's IP to the password, and then set your password to your password + IP.
(thus login will be impossible if you don't connect from the correct IP - basically, if you connect with the wrong IP - your password will be invalid even if you supply the correct password)

Firefox and Brave are secure, private-by-default browsers.

i don't know that i would define Firefox as being private by default (i don't know about Brave) - there are several crucial prefs which are not enabled by default

privacy.resistFingerprinting
webgl.disabled
browser.contentblocking.category
privacy.partition.serviceWorkers

Firefox is, IMO, the best foundation from which to start, but much more is needed (arkenfox user.js, a few extensions)

It may sound obvious, but when you logging into any online accounts, double check the URL is correct.

This is not really doable or feasible. Maybe recommend using bookmarks? (no idea is it feasible on mobile browsers)

containers are not strictly needed if strict blocking/net partitioning is enabled

arkenfox js...

/*** [SECTION 2700]: ETP (ENHANCED TRACKING PROTECTION) ***/
user_pref("_user.js.parrot", "2700 syntax error: the parrot's joined the bleedin' choir invisible!");
/* 2701: enable ETP Strict Mode [FF86+]
 * ETP Strict Mode enables Total Cookie Protection (TCP)
 * [NOTE] Adding site exceptions disables all ETP protections for that site and increases the risk of
 * cross-site state tracking e.g. exceptions for SiteA and SiteB means PartyC on both sites is shared
 * [1] https://blog.mozilla.org/security/2021/02/23/total-cookie-protection/
 * [SETTING] to add site exceptions: Urlbar>ETP Shield
 * [SETTING] to manage site exceptions: Options>Privacy & Security>Enhanced Tracking Protection>Manage Exceptions ***/
user_pref("browser.contentblocking.category", "strict");
/* 2702: disable ETP web compat features [FF93+]
 * [SETUP-HARDEN] Includes skip lists, heuristics (SmartBlock) and automatic grants
 * Opener Heuristics are granted for 30 days and Redirect Heuristics for 15 minutes, see [3]
 * [1] https://blog.mozilla.org/security/2021/07/13/smartblock-v2/
 * [2] https://hg.mozilla.org/mozilla-central/rev/e5483fd469ab#l4.12
 * [3] https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning#storage_access_heuristics ***/
   // user_pref("privacy.antitracking.enableWebcompat", false);
/* 2710: enable state partitioning of service workers [FF96+] ***/
user_pref("privacy.partition.serviceWorkers", true);

For

Be cautious when logging in on someone else’s device

it seems that it can be useful to add note that for some services one may have multiple accounts - and log in with less valuable one (for example without admin privileges, not using real name).

Or is it obvious/rare to have it worthwhile?

Explain why it should be added

Free, OpenSource and On-Premise ready

Additional Context

• Zulip - https://zulip.com/ Chat for distributed teams, over 120 native integrations, cross-platform apps
• RevoltChat - https://revolt.chat/ Communication is critical. Privacy is essential, cross-platform apps, 1:1 alternative to discord
• Twake - https://twake.app/ Open digital workspace

Justification

In the mobile devices section, for the advice Set up a mobile carrier PIN, the recommended mitigation is:

The easiest way to protect against this is to set up a PIN through your mobile provider, thus disallowing anyone without this PIN to make any changes to your account.

I don't quite understand what this means - I'm almost sure it does not mean the PIN used for the SIM card lock (although I'm sure there are some people who would mix those up). What does this refer to exactly? I had a quick Google, but didn't find anything about an access PIN for my mobile provider.

Describe the bug
A clear and concise description of what the bug is.

To Reproduce
Steps to reproduce the behavior:

1. Go to '...'
2. Click on '....'
3. Scroll down to '....'
4. See error

Expected behavior
A clear and concise description of what you expected to happen.

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

• OS: [e.g. iOS]
• Browser [e.g. chrome, safari]
• Version [e.g. 22]

Smartphone (please complete the following information):

• Device: [e.g. iPhone6]
• OS: [e.g. iOS8.1]
• Browser [e.g. stock browser, safari]
• Version [e.g. 22]

Additional context
Add any other context about the problem here.

Put "Add ____" as Title

Explain why it should be added

[A clear and concise description of the point and why it should be added to the list.]

Additional Context

[Provide some context, with a bit of detail. Specify which of the 10 categories this point should be listed under]

Content (optional)

[Suggest some content, including links, written in clear English for the point you'd like added]

NOTES:

• Before submitting, check that there isn't a similar open issue already
• Please create a new issue for each separate/ stand-alone point you'd like added to the list
• If you are confident in your abilities, you can also write the point yourself, and submit it as a PR
• Thank you for your suggestion, it's because of contributors like yourself that this project can exist

Using DNS over HTTPS IS NOT MORE PRIVATE!!!

Using DNS over HTTPS is actually worse for your privacy. I know experts will tell you it is but they are wrong and I can explain why.

You can’t use a PiHole to block tracking websites if you use DOH. The ability to block DNS requests to the tracking from Advertising and Marketing companies is going to do much more to protect your privacy than obfuscating your DNS requests. Keeping third parties from knowing what sites you visit and what locations you’re at and when you’re there is a much more important act, and using DOH prevents you from doing that.

To really protect your privacy you’re going to need a VPN to obfuscate your IP. Using a VPN router enables you to obfuscate all the traffic on your network.

Any security or privacy or security expert who says protecting your DNS requests with DOH is more important than blocking thousands of website trackers really isn’t and expert and doesn’t understand privacy at all.

link to 12bytes Firefox config guide is 404 - also there's 2 of them...

The Firefox Privacy Guide for Dummies!

Firefox Configuration Guide for Privacy Freaks and Performance Buffs

I found this amazing static page on the Awesome Docsify website. I love the static page, which I was able to emulate on my system, however, some of the nuances with the cover page are beyond me, namely how to get a component like the buttons to work.

From a usability and learning standpoint, including this _coverpage.md file would take little effort and help the community at large.

re: Browsers

Significantly more private, and offers some nifty privacy features than Chrome, Internet Explorer and Safari. After installing, there are a couple of small tweaks you will need to make, in order to secure Firefox. You can follow one of these guides by:

personally i don't agree - by default FF is a very noisy browser and Moz is using Google infrastructure for various things, telemetry being one of them (this is what led to the latest outage)

it also takes allot more than a few tweaks to beat it into submission, starting with the arkenfix user.js

that said, i personally still recommend FF over any other mainstream browser, but only because i'm not aware of a better candidate

also, the 12bytes link has changed - not sure which guide you might want to link to, but both are here

lastly, i took a quick look at the "Security Gladiators" link in that same section and personally i would dump that link immediately - this person/persons is an f'n moron(s)

don't take this personally - the following rant is directed squarely at them...

Mozilla Firefox is a privacy-friendly web browser.

... that has and continues to partner with a plethora of privacy hating mega-corporations like Google (associated with u.s./israeli intelligence), Microsoft, Facebook (associated u.s./israeli intelligence), Verizon, Comcast, Amdocs (israeli owned company tied to the 11-Sep-2001 terrorist attacks), etc., etc.

Since Mozilla Firefox is open source and has no corporation behind it that wants it to make money, Firefox doesn’t really have a need to track users. source

WHAT ??? FF is Moz's star money mill!

And researchers have audited the web browser multiple times.

...and they link to an audit of Firefox Accounts, not the browser

And so, Firefox does not track users and their activities on the internet.

right... they just send data to everyone else that does

But there are lots of other reasons why Firefox has gained so much popularity over the last couple of years.

utter nonsense - Firefox market share continues to tank like a lead balloon

again, it's a decent browser, but only after modifying hundreds of prefs and adding a few extensions

edit: i made the mistake of reading more of their "great" advice...

So what’s the best line of defense against problems such as web browser fingerprinting?

Well, no need for any difficult solutions.

The most pain-free way to do it is to use as plain vanilla and common version of a given operating system and web browser as is practically possible.

...or just enable RFP and dFPI in Firefox

It is best to use Tor browser without the Tor function as that is what most security experts recommend to users who want to reduce browser fingerprinting.

that's fine, if you don't watch HD video, play latency-sensitive games, trust a network that's funded in part by u.s. dod, and trust a network where the entirety of it can be run on a single box, such as by your ISP

Enable Global Tracking Protection

obsolete - "Enhanced Tracking Protection" needs to be set to "strict" - this enables dFPI

How To Turn On Do Not Track

Another useful feature.

useless - no one is forced to respect the DNT header

List of The Best Mozilla Firefox Security And Privacy Add-ons.

Privacy Badger

obsolete

The HTTPS Everywhere Addon

obsolete

NoScript

not needed with uBO (which they recommend)

uMatrix

no longer developed - largely replaced by uBO

Cookie AutoDelete

largely obsolete (dFPI)

User-Agent Switcher and Manager

NO! this can only compromise built-in anti fingerprinting (RFP)

Canvas Defender

largely obsolete (RFP, dFPI)

Decentraleyes

LocalCDN

Conclusion

That is it.

Not. Even. Close.

HTML email should be avoided.

https://useplaintext.email has some guide.

Put "Add ____" as Title

Explain why it should be added

[A clear and concise description of the point and why it should be added to the list.]

Additional Context

[Provide some context, with a bit of detail. Specify which of the 10 categories this point should be listed under]

Content (optional)

[Suggest some content, including links, written in clear English for the point you'd like added]

NOTES:

• Before submitting, check that there isn't a similar open issue already
• Please create a new issue for each separate/ stand-alone point you'd like added to the list
• If you are confident in your abilities, you can also write the point yourself, and submit it as a PR
• Thank you for your suggestion, it's because of contributors like yourself that this project can exist

State which point should be edited or removed. Put "Remove/ Edit ____" as Title

Justification

In "Personal Finance", the item "Use Cash for Local Transactions" is present twice, one of the two items should be deleted

NOTES:

• Before submitting, check that there isn't a similar open issue already
• Please create a new issue for each separate/ stand-alone point you'd like edited/ removed from the list
• If you are confident in your abilities, you can also make the changes yourself, and submit it as a PR
• Thank you for your suggestion, it's because of contributors like yourself that this project can exist

Say in

If your password is too short, or contains dictionary words, places or names- then it can be easily cracked through brute force, or guessed by someone. The easiest way to make a strong password, is by making it long (12+ characters)- consider using a 'passphrase', made up of many words. Alternatively, use a password generator to create a long, strong random password. Have a play with HowSecureIsMyPassword.net, to get an idea of how quickly common passwords can be cracked. Read more about creating strong passwords: securityinabox.org

is using

or names- then

instead of

or names - then

intentional? Would it be welome to make PRs fixing this?

Explain why it should be added

YourDigitalRights.org is a free and open source service which helps people regain control of their online privacy by automating the process of sending data deletion requests to organizations, and then provides guidance on how to ensure that requests are resolved in their favor.

Additional Context

The service automates the process of sending GDPR / CCPA / LGDP data deletion and access requests. It is free, open source, privacy respecting and is run by a registered charitable organization. I think it should go under the Security Tools -> Online Tools category.

Content (optional)

YourDigitalRights.org is a free and open source service which helps people regain control of their online privacy by automating the process of sending data deletion requests to organizations, and then provides guidance on how to ensure that requests are resolved in their favor.

NOTES:

• Before submitting, check that there isn't a similar open issue already
• Please create a new issue for each separate/ stand-alone point you'd like added to the list
• If you are confident in your abilities, you can also write the point yourself, and submit it as a PR
• Thank you for your suggestion, it's because of contributors like yourself that this project can exist

Turris Omnia

open source network router based on OpenWrt
best fit(?): Network Security

Turris project encompasses both software and hardware development efforts aiming to provide open and secure routers. Devices that can be truly yours and you can trust in.

note that i have never used this product, but it is on my list as my potential next router

State which point should be edited or removed. Put "Remove/ Edit ____" as Title

Unlike card payments, most cryptocurrencies are not linked to your real identity. Many blockchains have a public record, of all transaction matadata, on a public, immutable ledger. So where possible, opt for a privacy-focused currency, such as Monero or ZCash. If you are using a widley- supported currency (such as Tether, BitCoin, LiteCoin, Ripple, Etherium etc), take steps to distance yourself from the transaction details. See more privacy-respecting crypto currencies.

Justification

While technically true, achieving actual anonymity beyond offered by standard solutions is not really easy. First of all, buying cryptocurrency is done with regular money and shaking that connection is not easy.

Especially with BTC as the most prominent one "Use Cryptocurrency for Online Transactions" is not really helpful.

Additionally, using cryptocurrency opens user to new exciting classes of security issues.

In general, it is worth doing only for really dedicated, advanced people extremely caring about specific attack modes and able to avoid various traps.

I think that it should be removed or tradeoffs should be explained better. And it should not be "Optional" it should be something like "requires rearranging your life"

LibreTranslate is a free and open source translation application that can be self hosted for enhanced privacy.

LibreTranslate supports ~20 languages and can translate text, HTML, and files through either a web interface or API. It would probably be in the "browsing the web" or "personal computers" category.

• LibreTranslate website
• GitHub

Explain why it should be added

A Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application for Linux servers.

Additional Context

ConfigServer Security & Firewall https://configserver.com/cp/csf.html

I don't see a point using HTTPS everywhere, when I am just consuming content.
And for making transactions, HTTPS is not enough.
You can acquire a certificate easily these days. So many people are happy to sign in to https://paypaI.com (with uppercase i) and give away their credentials, just because it says "secure" . HTTPS doesn't mean the page is secure or not abusing your data for something else. At best it will securely transmit your data to attackers.

I would love to add to this point that HTTPS is a good first step, but it doesn't prevent attackers from getting your data. You need to deliberately inspect what the website is offering and apply common sense. This would be a perfect place to link to the Sensible Computing part.

State which point should be edited or removed.

We should remove the suggestion that Backup Codes should be stored in a Password Manager.
This suggestion appears in two places:

1. TLDR Short List in section Authentication:

You could store them in your password manager or on paper in a safe place so you will not be locked out

2. In the main guide, section Authentication, item Keep Backup Codes Safe:

You could store them in your password manager, in an encrypted note, or write them down somewhere safe.

Justification

Backup Codes should not be stored in a Password Manager because the entire purpose of a 2FA code (including back-up codes, which are simply long-living 2FA codes) is that they exist separately from your passwords. 2FA is effective because even if an attacker gets access to your passwords, they additionally need physical access to something else in order to access your account. However, by putting Backup Codes in your Password Manager you are totally violating this primary purpose of 2FA.

i'm the author of a 2 configuration guides for Firefox, both of which address privacy and security, though primarily the former

The Firefox Privacy Guide For Dummies!

Firefox Configuration Guide for Privacy Freaks and Performance Buffs

the latter guide is linked in the How-To Guides section under the 'Networking' heading and i'm not sure that's the best place for it ???

the former guide is not linked

i think both guides might fit best in the How-To Guides section under the 'Software' heading perhaps ???

currently when submitting an issue there is...

Addition to List
Bug report
Removal from List

i might suggest adding a simple "correction" template

the arkenfox user.js project is an extremely comprehensive, privacy-centric user.js (custom preferences) for Firefox in that it alters nearly 300 preferences

this is a very serious project that would be of interest to anyone concerned about browser privacy and security

the project also includes scripts for updating and cleaning a user.js, as well as a reasonably comprehensive wiki with lots of valuable info

there are over a dozen contributors and many of them are very knowledgeable with connections to Mozilla and the Tor project

this project/user.js is not for the faint of heart - i would say that a moderate degree of technical understanding regarding Firefox is required, as well as the diligence to keep the user.js updated - the benefit is a 'quieter' and a privacy and security hardened Firefox

i'm not sure where this would fit best - perhaps in 5_Privacy_Respecting_Software.md or possibly in the How-To Guides section under 'Software'

personally i think the latter would be the better choice

edit: content was edited to reflect the new name of the project - 'ghacks' was replaced with 'arkenfox'

Explain why it should be added

iVerify is a mobile application for iOS devices from researchers at Trail of Bits. It is available for Individuals, and provides both checklists and automated checks for the device.

Due to iOS restrictions, the checks are limited, but the checklists are comprehensive and explain the exact steps to be taken.

Additional Context

Due to iOS restrictions, the checks are limited, but the checklists are comprehensive and explain the exact steps to be taken.

Mobile Apps Category

Content (optional)

iVerify is a mobile application for iOS devices from researchers at Trail of Bits. It is available for Individuals, and provides both checklists and automated checks for the device. It also notifies you of critical security issues, iOS updates, as well as reboot reminders. It is available on the App Store

Explain why it should be added

On Security List > Secure Messaging > Disable Cloud Services, it's mentioned that "WhatsApp backups are not encrypted". But now WhatsApp offers end to end encrypted backup. So even though other parties can obtain the backup, it will need user's password to read it. So I think this section should be updated to reflect this? Wdyt?

Additional Context

FAQ link: https://faq.whatsapp.com/general/chats/how-to-turn-on-and-turn-off-end-to-end-encrypted-backup

Cloudflare's DNS recommended as non-tracking provider, but several researches and articles don't agree with that for numerous reasons. 1, 2 and 3.

VPN's are referred to in various places, such as 'Networking' - i wonder if a dedicated category might be better?

i'm thinking maybe renaming 'Networking' to 'Network Privacy/Security', removing mention of ProtonVPN and Mullvad from there, and adding all the VPN providers under a new 'VPN' category???

Where it states "It is a known fact that voice-activated assistants collect a lot of personal data, and open the door to a mirage of security issues." was probably meant to be "It is a known fact that voice-activated assistants collect a lot of personal data, and open the door to a barrage of security issues."

https://github.com/Lissy93/personal-security-checklist/blob/master/2_TLDR_Short_List.md really should mention "tested backups" as a critical point.

It protects against ransomware. It protects against data loss, one of the most important problems - both for typical people and ones under targeted attacks.

Describe the bug

https://github.com/Lissy93/personal-security-checklist#emails

The big companies providing "free" email service, don't have a good reputation for respecting users privacy: Gmail was caught giving third parties full access to user emails and also tracking all of your purchases.

In my view the two stories you link here are misleading clickbait:

1. Third party apps get full access to the user emails if the user explicitly tells gmail to grant access. You can see the access is granted and you can revoke it. It's like being "caught" having an IMAP interface. "Before a published, non-Google app can access your Gmail messages, it goes through a multi-step review process that includes automated and manual review of the developer, assessment of the app’s privacy policy and homepage to ensure it is a legitimate app, and in-app testing to ensure the app works as it says it does."

2. The 'purchase tracking' is just a summary view of emails about purchases, analogous to a saved search.

https://github.com/Lissy93/personal-security-checklist/blob/master/5_Privacy_Respecting_Software.md#encrypted-email

Email is not secure- your messages can be easily intercepted and read. Corporations scan the content of your mail, to build up a profile of you, either to show you targeted ads or to sell onto third-parties.

Google does not use mail content to target ads, and does not sell mail content to third parties.

Source: https://www.blog.google/technology/safety-security/ensuring-your-security-and-privacy-within-gmail/

Additional context

I work in Google Security Engineering, but not on Gmail.

I already have a PR ready to go, but thought an issue could better serve as a discussion before opening!

I think it goes without saying that consistent and reproducible formatting on any project (especially one this popular) is always welcome.

I noticed in the ATTRIBUTIONS.md that you're (most likely) using a local installation of Prettier (<!-- prettier-ignore-start -->). I think that adding a very minimal package.json with a pinned Prettier version included as a devDep could improve contributability(?).

However, I've scanned the existing Markdown source with Prettier and there were quite a few recommendations for each file, so I'd be curious to know if you're using a customised config locally, or not using it at all (and the ignore tags I found are ancient relics)!

https://github.com/Atarity/deploy-your-own-saas/tree/master

Explain why it should be added

https://github.com/Lissy93/personal-security-checklist/blob/master/5_Privacy_Respecting_Software.md#proxy-sites
I'm not going to explain

Additional Context

See https://github.com/mendel5/alternative-front-ends

i might suggest adding Mumble (voice/text chat) in software -> communication category

Mumble is a free, open source, low latency, high quality voice chat application.

Mumble was the first VoIP application to establish true low latency voice communication over a decade ago. But low latency and gaming are not the only use cases it shines in.

We heard from users who record podcasts with our multi-channel audio recorder, players seeking realism with our positional audio in games, Eve Online players with huge communities of over 100 simultaneous voice participants (I bet they make good use of our extensive permission system 😄), the competitive Team Fortress 2 community making us their required voice communication platform, hobby radio transmission users, and a variety of workplaces adapting Mumble to fit their needs - be it on-head mobile devices or communicating across countries or into airplanes.

Administrators appreciate Mumble for being able to self host and have control over data security and privacy. Some make use of the extensive permission system for complex scenarios (for example separating two groups but leaders being able to talk to both). Some love to provide their users with additional functionality with scripts making use of server APIs, or host music bots and the like that connect to the server. Those that have an existing user database often make use of authenticators to allow authenticating with existing account login data.

Firefox Extensions - My Picks

there's probably thousands of such lists floating around, however i think the value with this one is that a) i offer advice on how to choose a Firefox extension, particularly what to look out for, and b) many of the extensions listed are privacy and security related

not sure where this would fit best - perhaps 5_Privacy_Respecting_Software.md or the How-To Guides section

re: HTTPS-Everywhere

Firefox has built-in functionality for this and, far as i know, i believe all/most other mainstream browsers do as well - some people still prefer and add-on ( i preferred Smart HTTPS ), but this is not strictly required

Describe the bug
A clear and concise description of what the bug is.

To Reproduce
Steps to reproduce the behavior:

1. Go to '...'
2. Click on '....'
3. Scroll down to '....'
4. See error

Expected behavior
A clear and concise description of what you expected to happen.

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

• OS: [e.g. iOS]
• Browser [e.g. chrome, safari]
• Version [e.g. 22]

Smartphone (please complete the following information):

• Device: [e.g. iPhone6]
• OS: [e.g. iOS8.1]
• Browser [e.g. stock browser, safari]
• Version [e.g. 22]

Additional context
Add any other context about the problem here.

Explain why it should be added

https://news.ycombinator.com/item?id=29244870 raises point that security question could be verified by human, not computer. And answer "nIOHJIjDOidjdu89d)DD(90d" to say "Where you lived as a child?" could be passed with "some random gibberish", while more human reply like "in the land far away with pink elephants" would less likely to be defeated this way.

Additional Context

I am not really sure it is a good advice.

Content (optional)

[Suggest some content, including links, written in clear English for the point you'd like added]

NOTES:

I may write PR for this or some other issue but for now I am waiting for processing https://github.com/Lissy93/personal-security-checklist/pulls/matkoniecz

Explain why it should be added
https://github.com/Lissy93/personal-security-checklist/blob/master/5_Privacy_Respecting_Software.md#proxy-sites
Some additions

Additional Context
See https://github.com/mendel5/alternative-front-ends

Also maybe would be good advice to prefer open-source based router, like Turris MOX.

sorry for short message, writing from phone.

https://www.turris.cz/en/mox/overview/

i first published the Firefox Configuration Guide for Privacy Freaks and Performance Buffs in 2015

i wrote the guide as much for myself as to share with others

truth be told, i am not the sharpest knife in the drawer and i never really felt qualified to be writing such a guide, however i never found a truly comprehensive guide anywhere else that covers terminology, preferences, arkenfox, system add-ons, extensions and how to configure them, profiles, web storage, etc., etc.

i'd like to 'pass the torch', as it were, to someone more capable than i - someone who understands the inner workings of Firefox and the threats to privacy better than i

the guide is responsible for probably 25%+ of my page views and is constantly in the top 5 most popular pages

i do have some conditions though...

• you must keep the guide up to date - allot of people depend on this
• i would like to see it remain as comprehensive as it is, covering all aspects of configuration, add-ons, etc. - a one-stop-shop for FF configuration
• the guide relies heavily on the arkenfox user.js and from my interaction with the fantastic people involved in that project, as well as looking at similar projects, it is apparent to me that arkenfox is the best of them at this time - it is exceedingly comprehensive, always up to date and very active and i'd like to see it remain an integral part of the guide

if you're interested, let's talk and, if not, maybe you know someone who is

Describe the bug
The ProtonMail entry under the Anonymous Mail Forwarding section suggests that you can only achieve email aliasing with their Visionary plan (€30/month).

However, ProtonMail's Professional plan (€8/month) does support catch-all addresses which offer similar functionality at a more affordable price point. (This is the current setup that I use on my ProtonMail account to implement email aliasing).

Describe the bug

In the Personal computers / Use a Privacy Filter section, the link points to a 404 page.

Justification

Tor has complex security tradeoffs, and isn't a good recommendation for everyone.

On the up side, it hides your traffic from your wifi operator or ISP. On the downside, traffic eventually exits through an exit node who is completely unknown and unaccountable to you, and this exit node can both inspect and modify the traffic.

So as a baseline, Tor is a good choice for people who would rather roll the dice in trusting anyone in the world than trust their local network. That might be the case for criminals, political dissidents or people suffering domestic abuse, but it doesn't seem like the right tradeoff for the majority of users, who have a not-actively-hostile commercial ISP.

You say, and I would agree, that you should be careful in connecting to public wifi, because it may conduct active or passive attacks. But very similar problems apply to using Tor, with perhaps less obvious benefit.

As well as the performance impact, one should also consider:

• a possible false sense of security if information leaks through DNS or other programs
• Tor-supporting browsers might lag behind the upstream Firefox or Chromium in fixing security bugs
• whether using a browser with Tor built in or a separate proxy, you have a larger trusted software base