The primary reason for curtains/blinds/drapes covering our windows in our house is to stop people from being able to see in. The reason we don’t want them to see in is because we consider much of what we do inside our homes to be private. Whether that be having dinner at the table, watching a movie with your kids, or even engaging in intimate or sexual acts with our partner. None of these things are illegal by any means, but even knowing this, we still keep the curtains and blinds on our windows. We clearly have this strong desire for privacy when it comes to our personal life and the public.Joshua in The Crypto Paper
Security is not a boolean expression, but rather a process, trying to protect all of your data from everyone all the time is impractical, expensive, and exhausting. Consider building a personalized threat model and then switch to software and services accordingly.
1. Web Browsers
- Mozilla Firefox — Firefox is an extremely customizable web browser from Mozilla that checks all the boxes of privacy, security, and open-sourceness, with a vibrant add-on ecosystem.
- Tor Browser — Tor Browser is a modified version of Firefox ESR, which comes with lots of privacy add-ons and tweaks. It is configured to run on the Tor network, providing an extra layer of anonymity, and can be configured to run without the Tor Network.
- Brave Browser — Brave is my Chromium-based browser of choice, it comes preconfigured with pretty good privacy and security features, and has the added benefit(?) of being based on Chromium.
- Bromite (Android) — Bromite is a Chromium-based browser for Android with awesome privacy and security enhancements like built-in ad-blocking, DNS over HTTPS support, fingerprinting mitigation, and more.
- DuckDuckGo (Android & iOS) — DuckDuckGo is another Chromum-based browser for Android by the guys behind private search engine, DuckDuckGo. It’s a pretty neat browser with built-in tracker blocking, private search, a privacy grade for websites, and more.
2. Browser Add-ons
- uBlock Origin — uBlock Origin is an efficient wide-spectrum blocker that is easy on memory, comes with Advanced mode which allows for dynamic filtering similar to NoScript and uMatrix, and has no monetization strategy.
- Decentraleyes — Decetraleyes works by emulating a CDN on your device locally, providing an additional layer of tracking protection from CDN providers that a website might be using.
- Cookie AutoDelete — Cookie AutoDelete, as the name suggests, automatically removes cookies, lingering sessions, and other information that can be used to spy on us when they are no longer used by open browser tabs.
- Privacy Badger — Privacy Badger is an add-on by EFF that blocks “Invisible Trackers” by analyzing trackers and ads that violate the principle of user consent, seems redundant if used along with uBlock Origin.
- ClearURLs — CleraURLs automatically removes tracking elements from URLs as you browse different websites across the Internet.
- User-Agent Switcher and Manager — User-Agent Switcher lets us spoof your browser’s User-Agent string, making it harder for websites to track us and deliver distinct content.
- Firefox Multi-Account Containers — Multi Account Containers is an add-on by Firefox that lets us keep parts of your online life separated into distinct containers with color-coded tabs.
- NoScript Security Suite — NoScript is a powerful scripts blocker that uses “ClearClick Technology” to protect us against XSS, cross-zone DNS rebinding / CSRF attacks, and Clickjacking attempts.
3. Search Engines
- Searx — Searx is an open source, privacy-friendly and self-hostable metasearch engine. It works by aggregating results from other search engines, host your own or choose from the list of public instances to use.
- Qwant — Qwant is a privacy-respecting search engine based in France, with the focus on two key principles of Privacy and Neutrality. It has it own indexing engine and doesn’t do any user tracking or personalized search results to avoid trapping users in a filter bubble.
- MetaGer — Metager is an open source metasearch engine based in Germany, with pretty nifty features like “source of search result”, “open anonymously”, and much more.
4. Password Managers
- Bitwarden — Bitwarden is a cloud-based open source password manager that provides among the easiest and safest ways to store all of your logins and passwords and have them synced across all devices. There is a feature-rich free version, and the ability to self-host using Vaultwarden on a private server.
- KeePassXC — KeePassXC is a free and open-source password manager that, unlike Bitwarden, works by storing all the passwords and sensitive information in an encrypted database locally instead. It is available across all devices, but the database needs to be synced manually or via one of the cloud storage providers.
- LessPass — LessPass is a free and open-source “stateless” password manager that unlike both Bitwarden and KeePassXC doesn’t store passwords anywhere, neither in the cloud nor locally. LessPass computes a unique password using a site, login and a master password, it seems like a pretty cool idea, there’s no need to sync anything, and it works offline too.
I am a little hesitant to recommend stateless password managers like LessPass, as if someone gets access to the master password, they could derive other passwords easily without needing access to any database whatsoever.
I don’t recommend using the browsers’ built-in password manager, or even using browser extensions of dedicated password managers. The web browser just seems to have so big of an attack surface for me to store all of my credentials in there, check our guide on all things password management for more details.
5. Multi-Factor Authentication
- Aegis Authenticator — Aegis is a free and open-source authenticator app for Android to manage 2-step verification tokens, it stores them in an encrypted vault with options for biometric unlock, backups, and much more.
- Ravio OTP — Ravio is a free and open-source authenticator app for iOS to manage 2-step verification tokens, it stores them in an encrypted vault with options for biometric unlock, backups, and much more.
- Yubikey — YubiKey is a hardware authentication device by Yubico that supports one-time passwords, public-key cryptography, and authentication, and the Universal 2nd Factor and FIDO2 protocols developed by the FIDO Alliance.
I don’t recommend using 2FA via SMS, as it is unencrypted and vulnerable to attacks like SIM swapping. I am also not keen on storing authenticator codes in the password manager.
6. Virtual Private Networks (VPNs)
- Mullvad VPN — Mullvad is a fast and inexpensive (€60/y) VPN with a serious focus on transparency and security. They have secure servers in over 35 countries, are based in Sweden, and have been in operation since 2009. Mullvad supports both OpenVPN & WireGuard, and IPv6 as well as port forwarding, and has been audited by Cure53 and Assured AB.
- ProtonVPN — ProtonVPN is a strong contender in the VPN space, with severs in over 44 countries. They are based in Switzerland, have been in operation since 2016, and offer a free version. ProtonVPN also supports both OpenVPN & WireGuard, however, doesn’t support IPv6 and port forwarding, and has been audited by the SEC Consult.
- IVPN — IVPN is a premium VPN service provider based in Gibraltar, with servers in over 32 countries. They also support both OpenVPN & WireGuard, and have been in operation since 2009. IVPN is extremely transparent about their service, support port forwarding, and has been audited by Cure53.
Merely using a VPN won’t make you anonymous, neither will it add any additional security to non-HTTPS traffic aka websites that don’t use HTTPS, a VPN is not a replacement for good security practices.
Our guide on best VPN providers covers pretty much everything one needs to know about VPN, stay away from free VPN providers, and don’t rely on the no-logging policy of VPN provider. I recommend self-hosting your own VPN via OpenVPN, WireGuard, or Shadwosocks.
7. DNS Resolvers
- AdGuard DNS — AdGuard DNS is a privacy-oriented DNS resolver that can block tracking, ads, and phishing. It supports DNS over HTTPS, DNS over TLS, and DNSCrypt, uses Anycast, and is based in Cyprus.
- Cloudflare DNS — Cloudflare’s 220.127.116.11 is a fast, privacy-respecting, encrypted DNS Resolver that can filter malware as well as adult content. It supports both DNS over HTTPS and DNS over TLS, uses Anycast, is based in the US, and has native apps for mobile devices.
- Quad9 — Quad9 is a privacy-respecting encrypted DNS resolver run by the non-profit Quad9 Foundation based in Switzerland. It supports DNS over HTTPS, DNS over TLS, and DNSCrypt, uses Anycast, can block malware, and has a native app for Android.
8. Instant Messaging Apps
- Signal — Signal is a centralized open-source messenger that checks pretty much all the boxes, it provides end-to-end encrypted instant messaging, voice and video calling, collects minimal metadata, but, requires a phone number.
- Element — Element is a federated open-source messenger built on the Matrix protocol, an open standard for secure decentralized real-time communication. It can be self-hosted, doesn’t require a phone number, and can be bridged to communicate across other services such as Slack, Telegram, Signal, and more.
- Briar — Briar is a peer-to-peer open-source messenger that connects to other clients using the Tor Network. It can also connect via Wi-Fi or Bluetooth when in local proximity, and it’s local mesh mode can work without any internet connectivity.
Unencrypted plain-text messages (SMS) are a security and privacy nightmare, so are most of the common closed-source messengers like WhatsApp, WeChat, etc. Our guide on secure messengers lists more such privacy-respecting messengers like Session, Threema, and goes in more detail about how they work.
9. Email Service Providers
- Tutonota — Tutonota is an email service with a focus on security and privacy through the use of encryption. It doesn’t use OpenPGP but an implementation of AES 128 & RSA 2048 to encrypt the entire mailbox, including the header part. Tutanota is based in Germany, and has been in operation since 2011, they also offer a generous free account.
- ProtonMail — ProtonMail is an email service with a focus on privacy, encryption, security, and ease of use by the same folks behind ProtonVPN. ProtonMail has integrated OpenPGP encryption in their webmail, they are based in Switzerland, and have been in operation since 2013, and also offer a free account.
- Mailbox.org — Mailbox is an email service with a focus on being secure, ad-free, and privately powered by 100% eco-friendly energy. Mailbox has integrated OpenPGP encryption in their webmail, they are based in Germany, and have been in operation since 2014.
I recommend using encrypted messengers instead of emails for prolonged conversations; most email providers don’t have end-to-end encryption, and even if you use end-to-end encryption using OpenPGP, there still have some unencrypted metadata in the header of the email.
10. Cloud Storage & Productivity Tools
- Nextcloud — Nextcloud is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. It combines the convenience and ease of solutions like Office 365 and Google Workspace with the security, privacy, and control of self-hosting and open source.
- CryptPad — CryptPad is an end-to-end encrypted and open-source of collaborative online office apps and cloud storage that are private-by-design. CryptPad.fr offers generous free accounts, and can be self-hosted for even more control over the data.
- LibreOffice — LibreOffice is a free and open-source office suite, and a successor to OpenOffice, by The Document Foundation. It has a clean interface and feature-rich tools, and supports the file formats of most other major office suites, including Microsoft Office.
- Joplin — Joplin is a free, open-source, and fully-featured note-taking and to-do application which can handle a large number of markdown notes organized into notebooks and tags. It offers end-to-end encryption and can sync through Nextcloud, Dropbox, and more. It also offers easy import from Evernote and plain-text notes.
- Syncthing — Syncthing is a free, open-source peer-to-peer file sync that replaces proprietary sync and cloud services with something open, secure, trustworthy and decentralized. It synchronizes files between two or more computers in real time, safely protected from prying eyes over a local network, or over the Internet.
You should also take appropriate steps to minimize the metadata, metadata is just as important as the actual data, our guide on metadata removal tools lists recommendations and best practices.
11. File Encryption
- VeraCrypt — VeraCrypt is a free and open-source utility for on-the-fly encryption, it can create a virtual encrypted disk within a file or encrypt a partition or the entire storage device with pre-boot authentication. VeraCrypt is a fork of the discontinued TrueCrypt project, with all the security improvements and fixes to issues raised by the initial TrueCrypt code audit.
- 7Zip — 7-Zip is a free and open-source file archiver with support for a number of archive formats, including 7z, ZIP, gzip, bzip2, xz, tar, and WIM. It also supports encryption via the 256-bit AES cipher, which can be enabled for both files and the 7z hierarchy.
- Hat.sh — Hat.sh is a free and open-source web app that provides secure client-side file encryption using the XChaCha20-Poly1305 from libsodium library in your browser, no data ever leaves the browser, and it can be self-hosted.
There are lots of so-called “app locks” that provide a false sense of security, mere password protection is not the same as encryption, our guide on secure encryption tools goes in more details about it.
12. Operating System
- Fedora Workstation — Fedora is a Linux distribution developed by the Fedora Project and sponsored by Red Hat. Fedora Workstation is a secure, reliable, and user-friendly edition developed for desktops and laptops. Fedora by default comes with the GNOME desktop environment, other desktop environments are also available.
- Qubes OS — Qubes is a security-focused desktop operating system that works by the principle of security by isolation. It leverages Xen-based virtualization to allow for the creation and management of isolated compartments called qubes, where the user environments can be based on Fedora, Debian, Whonix, and Microsoft Windows, among other operating systems.
- Tails OS — Tails, or The Amnesic Incognito Live System, is a security-focused Debian-based Linux distribution aimed as protection against surveillance and censorship. It can boot on almost any computer from a DVD, USB stick, or SD card, and connects to the Internet exclusively through the anonymity network Tor; leaving no trace on the computer; and using state-of-the-art cryptographic tools to encrypt files, emails, and instant messages.
- CalyxOS — CalyxOS is a free and open-source operating system for smartphones based on Android by the Calyx Institute that puts privacy and security into the hands of everyday users. It also comes with lots of proactive security recommendations like preinstalled Tor Browser, free trusted VPNs, Signal, verified boot, and MicroG.
- GrapheneOS — GrapheneOS is an Android-based, security-hardened, privacy focused, mostly free and open-source, mobile operating system. It has a lot of security hardening and privacy improvements like hardened memory allocator, network and sensor permissions, verified boot, and more.
- Data Brokers: Last Week Tonight with John Oliver (HBO)
- Glenn Greenwald: Why privacy matters
- 8 counter-arguments to common privacy misconceptions | I have nothing to hide data privacy
That’s all folks!
I will be updating this page frequently with more private tools and information.