20240719

- Fixed information about Ente Auth
- Clarified Criteria wording for Links & Resources
- Added a link to additional information about iCloud's Advanced Data Protection Program & the importance of not losing your password
- Updated Firefox recommendations
- Added a tip about writing down passwords
- Fixed the Encryption page and added a note about the importance of passwords and recovery methods with end-to-end encryption.

src/assets/data/pages/en/guides/most-important/Mfa.json

@@ -37,8 +37,9 @@
     "link": "https://ente.io/auth/",
     "pros": [
        "Available on all operating systems",
-       "Available on [F-Droid](https://f-droid.org/en/packages/io.ente.auth/)"],
+       "Available on [F-Droid](https://f-droid.org/en/packages/io.ente.auth/)",
+	   "No account required (offline mode only)"],
     "cons": [
-  "ente account required (free for now but [plans](https://ente.io/blog/auth/) to charge in the future)"]
+		"ente account required (online sync only)"]
   }
 }

src/pages/en/criteria.md

@@ -56,13 +56,13 @@ Because many words and phrases can be subjective, we have clarified some of our
 
 ## Encrypted Messaging
 * Must have end-to-end encrypted one-to-one messaging enabled by default
-* Ability to export messages for backup or portability purposes
-* Must optionally support ephemeral messaging (realtime messaging only)
-* Must be metadata-resistant (realtime messaging only)
+* Ability to export messages (email-only, realtime messengers encouraged)
 * Must support custom domains (e-mail only)
+* Must support ephemeral messaging (realtime messaging only)
+* Must be metadata-resistant (realtime messaging only)
 
 ## Links & Resources
-* All resources and links must be directly relevant to individual data privacy and/or cybersecurity.
+* Must be directly relevant to individual data privacy and/or cybersecurity
 
 ## Mobile Settings & Apps
 * Recommended settings changes must reduce the amount of data submitted to the device manufacturer, cell carrier, and/or app developers and/or must improve device security against common threats

src/pages/en/guides/moderately-important/backups.mdx

@@ -67,6 +67,6 @@ _Listed in alphabetical order, not order of recommendation_
 
 ### iCloud's Advanced Data Protection Program
 
-With the rollout of Apple’s [Advanced Data Protection](https://support.apple.com/en-us/HT202303) program, there are certainly those will ask if that’s an acceptable cloud storage solution. The short answer is “probably but I’m not a fan.” First off, the Advanced Data Protection program is proprietary, meaning that there is very little transparency into the security or implementation of the security. While I personally don’t believe that Apple would intentionally insert backdoors into the program, we have seen time and time again that big, complicated code like that can easily contain bugs, vulnerabilities, and other opportunities for improvement. Closing off the source code means it will take longer for those to be found and fixed, and in the meantime bad guys might find and exploit them. Furthermore, the Advanced Data Protection program locks you into the Apple ecosystem, which makes it harder for you to take your data to a new platform if you ever decide to in the future. I prefer open source solutions that are available on a wide variety of operating systems, giving you the agility to easily pivot for any reason and the assurance of transparency. That said, if you have tried the solutions above and they don’t work for you, then turning on Advanced Data Protection is certainly better than not using it. Be sure to read up on it first and know the limitations.
+With the rollout of Apple’s [Advanced Data Protection](https://support.apple.com/en-us/HT202303) program, there are certainly those will ask if that’s an acceptable cloud storage solution. The short answer is “probably but I’m not a fan.” First off, the Advanced Data Protection program is proprietary, meaning that there is very little transparency into the security or implementation of the security. While I personally don’t believe that Apple would intentionally insert backdoors into the program, we have seen time and time again that big, complicated code like that can easily contain bugs, vulnerabilities, and other opportunities for improvement. Closing off the source code means it will take longer for those to be found and fixed, and in the meantime bad guys might find and exploit them. Furthermore, the Advanced Data Protection program locks you into the Apple ecosystem, which makes it harder for you to take your data to a new platform if you ever decide to in the future. I prefer open source solutions that are available on a wide variety of operating systems, giving you the agility to easily pivot for any reason and the assurance of transparency. That said, if you have tried the solutions above and they don’t work for you, then turning on Advanced Data Protection is certainly better than not using it. Be sure to read up on it first and know the limitations, especially the importance of [not forgetting your password or encryption keys](/guides/prologue/encryption##dont-lose-your-password).
 
 **If you follow the steps on this page, you should have created secure, consistent backups** that will protect you in the event of a lost, stolen, or damaged device, or even the dreaded ransomware.

src/pages/en/guides/most-important/browser.mdx

@@ -14,7 +14,7 @@ Currently **Google Chrome has the most users, but it's [basically spyware](https
 
 ## Brave vs Firefox
 
-Browsers are highly controversial. No matter what browsers I suggest, people will always say that I should've considered a different one or shouldn't have listed one I did. To see my criteria for why I selected these browers to list, check [here](/criteria#web-browsers). In the interest of transparency, I do want to acknowledge that **both Brave and Mozilla have made questionable decisions.** Brave's criticisms mostly revolve around their use of BAT, a cryptocurrency they developed to allow site owners and content creators to get paid based on visits and time spent on their site. You can read more about that [here](https://brave.com/brave-rewards/). Such decisions included [collecting payments on behalf of a creator who claims he never got paid](https://www.altcoinbuzz.io/cryptocurrency-news/spotlight/famous-youtuber-tom-scott-frustrated-with-brave/) and [injecting affiliate links into browser traffic so Brave made more money](https://www.cpomagazine.com/data-privacy/brave-privacy-browser-caught-automatically-adding-affiliate-links-to-cryptocurrency-urls/). These situations have since been corrected. For Mozilla's shortcomings, they regularly draw criticism for making their analytics opt-out rather than opt-in, making Google the default search engine, and [paying their CEO over $3 million USD per year while struggling to be financially solvent](https://www.zdnet.com/article/endangered-firefox-the-state-of-mozilla/). I also want readers to be aware that Firefox has [been found](https://www.ghacks.net/2022/03/17/each-firefox-download-has-a-unique-identifier/) to be issuing a temporary, one-time tracker that shares some data with Google when you download and install the program for the first time on Windows or Mac, so if you go this route I suggest you turn off your internet during the installation until you have a chance to disable analytics (discussed below).
+Browsers are highly controversial. No matter what browsers I suggest, people will always say that I should've considered a different one or shouldn't have listed one I did. To see my criteria for why I selected these browers to list, check [here](/criteria#web-browsers). In the interest of transparency, I do want to acknowledge that **both Brave and Mozilla have made questionable decisions.** Brave's criticisms mostly revolve around their use of BAT, a cryptocurrency they developed to allow site owners and content creators to get paid based on visits and time spent on their site. You can read more about that [here](https://brave.com/brave-rewards/). Such decisions included [collecting payments on behalf of creators without consent](https://www.altcoinbuzz.io/cryptocurrency-news/spotlight/famous-youtuber-tom-scott-frustrated-with-brave/), and [injecting affiliate links into browser traffic so Brave made more money](https://www.cpomagazine.com/data-privacy/brave-privacy-browser-caught-automatically-adding-affiliate-links-to-cryptocurrency-urls/), and [installing software without transparency](https://www.theverge.com/2023/10/20/23925192/brave-browser-vpn-windows-11). These situations have since been corrected. For Mozilla's shortcomings, they regularly draw criticism for having [poor default settings](https://www.zdnet.com/article/googles-back-its-firefoxs-default-search-engine-again-after-mozilla-ends-yahoo-deal/), having a [hostile attitude toward users](https://blog.privacyguides.org/2024/07/14/mozilla-disappoints-us-yet-again-2/#lack-of-consent), paying their CEO over $3 million USD per year while [struggling to be financially solvent](https://www.zdnet.com/article/endangered-firefox-the-state-of-mozilla/), and investing in a [wide-range of companies](https://en.wikipedia.org/wiki/Mozilla_Corporation#Notable_events) that seem to have little to do with their original mission while failing to focus adequate resources on their browser. I also want readers to be aware that Firefox has [been found](https://www.ghacks.net/2022/03/17/each-firefox-download-has-a-unique-identifier/) to be issuing a temporary, one-time tracker that shares some data with Google when you download and install the program for the first time on Windows or Mac, so if you go this route I suggest you turn off your internet during the installation until you have a chance to disable analytics (discussed below).
 
 While I don't think there is a perfect solution in this space, I personally recommend Brave for most people. It is the most Chrome-like so most users will find the transition easy, using the Chromium engine will make you "blend in" more with other chrome users, and it is extremely privacy-friendly "out of the box" without having to make a lot of advanced tweaks. Having said that, a lot of people feel very strongly about Brave as a company, the BAT token, and the idea of giving Google too much power by having too many users dependent on the Chromium engine. Therefore, I will leave it up to my readers to decide which company they consider to be more ethical and which browser is right for their needs. If you still find yourself on the fence, it's worth noting that Chromium-based browsers tend to have better security, however as long as you're using good [online habits](/guides/less-important/habits) the difference should be minimal for most casual web users ([Source](https://madaidans-insecurities.github.io/firefox-chromium)).
 
@@ -102,26 +102,24 @@ _3: This will sign you out of everything and reset any settings. See Note 2 for
   class="float-right mx-6 w-24"
 />
 
-- After downloading but before installing, disconnect from the internet.<sup>1</sup>
-- **(Skip this setting if using a [VPN](/guides/less-important/vpns).)** General: Network Settings: Enable DNS over HTTPS: Custom: Select a DNS provider from [this list](https://www.privacyguides.org/en/dns/).
+- General: Browsing: Recommend extensions as you browse: Uncheck
+- General: Browsing: Recommend features as you browse: Uncheck
 - Home: Firefox Home Content: Shortcuts: Sponsored Shortcuts: uncheck
 - Home: Firefox Home Content: Recommended by Pocket: Sponsored Stories: uncheck
 - Search: Default Search Engine: Pick a [privacy-respecting search engine](/guides/less-important/habits#search-engines).
-- Privacy & Security: Enhanced Tracking Protection: Strict<sup>2</sup>
+- Privacy & Security: Enhanced Tracking Protection: Strict<sup>1</sup>
 - Privacy & Security: Cookies & Site Data: Delete cookies and site data when Firefox is closed: checked<sup>3</sup>
-- Privacy & Security: Logins and Passwords: uncheck all<sup>3</sup>
-- Privacy & Security: Forms and autofill: uncheck all<sup>3</sup>
+- Privacy & Security: Passwords: Uncheck all<sup>2</sup>
+- Privacy & Security: Autofill: Uncheck all<sup>2</sup>
 - Privacy & Security: History: Never remember history
-- Privacy & Security: Address Bar - Firefox Suggest: Suggestions from the web: disabled
-- Privacy & Security: Address Bar - Firefox Suggest: Suggestions from sponsors: disabled
-- Privacy & Security: Firefox Data Collection and Use: uncheck all
+- Privacy & Security: Firefox Data Collection and Use: Uncheck all
+- Privacy & Security: Website Advertising Preferences: Allow websites to perform privacy-preserving ad measurement: Uncheck
 - Privacy & Security: HTTPS-Only Mode: Enable HTTPS-Only Mode in all windows
+- **(Skip this setting if using a [VPN](/guides/less-important/vpns).)** Privacy & Security: Enable DNS over HTTPS: Max Protection: Select a DNS provider from [this list](https://www.privacyguides.org/en/dns/).
 
-_1: Mozilla [issues](https://www.ghacks.net/2022/03/17/each-firefox-download-has-a-unique-identifier/) a temporary, one-time tracker that utilizes Google Analytics to understand the relationship between downloads and installations. This will be disabled in later settings._
+_1: I have never known this setting to cause any website breakage, however you can always change it back to Standard or Custom if you do._
 \
-_2: I have never known this setting to cause any website breakage, however you can always change it back to Standard or Custom if you do._
-\
-_3: There is malware capable of swiping data stored in your browser, including history and saved passwords, credit cards, and even multi-factor authentication cookies. You can choose to leave cookies and other sign-in data and history if you want, but know that it is a security risk._
+_2: There is malware capable of swiping data stored in your browser, including history and saved passwords, credit cards, and even multi-factor authentication cookies. You can choose to leave cookies and other sign-in data and history if you want, but know that it is a security risk._
 
 </div>
 

src/pages/en/guides/most-important/passwords.mdx

@@ -83,6 +83,8 @@ For the rest of your accounts, I recommend updating your passwords to something
 
 ## Tips & Tricks
 
+Contrary to what you may have heard, **writing down your master password (or other important passwords) isn't always a bad idea, with some caveats.** First, ensure you store it somewhere safe where criminals or other adversaries are unlikely to find it (such as a sticky note on your monitor). Second, don't make it super obvious that it's your password (for example, by writing "PC password: [password]" on the paper). Writing down a password can be a great way to create a backup and storing it offline nearly eliminates the risk of compromise (at least via digital channels), however you must be mindful not to lose the written-down password and to protect it from any physical compromise such as burglers.
+
 For your master login password, I recommend you use a passphrase so that it's easy to remember but still secure. A passphrase is a series of words rather than a single word or a string of random gibberish. A good passphrase should be at least five random words, so try to avoid famous quotes or obvious words like a list of your children's names. One common resource for generating a good passphrase is EFF's [Dice-Generated Passphrases](https://www.eff.org/dice). You could also Bitwarden's [free password generator](https://bitwarden.com/password-generator/). A [good passphrase](https://www.useapassphrase.com/) can take upwards of hundreds of years to brute force or guess.
 
 Make sure you enable [two-factor authentication](/guides/most-important/mfa) on your password vault - the stronger the better. If you can afford it, I recommend using a [security token](/guides/most-important/mfa#honorable-mention-security-tokens) here even if you don't use it elsewhere (though I recommend using it wherever possible). Your password vault is a single point of failure, so it's imperative to put the utmost level of protection on it.