Below are some quick notes that we hope are useful for getting started. For more depth on these topics, the Safe Hub Collective has very well-written guides.

Password Managers

KeePassX is a cross-platform password manager, with third-party apps available for android and ios. It stores all your account credentials in a file that you encrypt with one master passphrase. This way, you can have strong, unique passwords for each online account, avoiding the dangers of password reuse.

Some alternatives are LastPass and 1password. They offer a convenience trade-off, where you store your (encrypted) passwords on their service, and they synchronize them across your devices.

Also, enable 2-factor authentication whenever possible!

Mobile Devices

Full-disk Encryption
RedPhone / TextSecure / Signal
   Apps by Open Whisper Systems for encrypted communication
   - Android: RedPhone does calls, TextSecure does messaging
   - iOS: Signal does both calls and messaging
Location Tracking
   Be aware that your phone can and is used to track you. Your cell
   provider has records of your phone's location, and advertisers
   track your phone's wifi signal to try to determine where you buy
Tor for Android
   The Guardian Project has written a Tor client for Android, as
   well as a Tor browser.

Web Browsers (other than Tor Browser)

Chrome vs Chromium

Chrome is Google's web browser. It has two forms: Chrome, the proprietary version from Google, with closed-source parts you can't inspect (e.g., Flash), and Chromium, the open-source Free software version. Chromium is preferred over Chrome for privacy reasons.

Privacy Badger Attempts to do *behaviour-based blocking* of web trackers.

Privacy Badger keeps track of content loaded across different websites. If something appears to be tracking you, it will block it from being loaded in the future.


  1. adaptive filtering: detection based on behaviour


  1. may take time to 'warm up' the filter
  2. may not catch everything that a blacklist would
  3. EFF allows advertisers to opt out of blocking if they promise to behave well / look like they're not tracking you Blacklist-based filtering of web trackers has a blacklist of blocked content and prevents your browser from loading it.

The Chrome/ium version of Disconnect also has a visualizer that lets you see which companies are tracking you across multiple sites.


  1. extensive blocklist


  1. on rare occasions blocking content can break a site, in which case you can temporarily pause the blocking if need be.
HTTPS Everywhere Forces the browser to use TLS (encrypted) connections when possible

Some sites allow you to connect securely but don't require it.

Scenario: You're browsing a webpage and see a link like HTTPS Everywhere rewrites this link to automatically.

Scenario: You're on an open wifi and you click a link to an HTTPS login page. But an adversary has MitM'd the page and replaced the link with an HTTP one, so they can steal your account details. HTTPS Everywhere prevents the downgrade.

HTTPS Everywhere also has an option to block all unencrypted requests.

Scenario: You're on a network you don't trust (e.g., open WiFi, Tor) and want to prevent injection / spying. HTTPS Everywhere lets you block any unencrypted requests.

You can also opt in to the EFF's SSL Observatory and submit anonymous reports about the encrypted connections you see. This allows the EFF to detect attacks against HTTPS.

Ad Blockers

uBlock Origin is very efficient and lightweight.



You can choose to add extra blocklists; the more restrictive you choose to be, the higher likelihood of a website breaking.

Adblockers increase performance as well as protect your privacy.

Flash & other plugins

Friends don't let friends run Flash. The Flash plugin is a huge source of security flaws and you're much safer without it.

Flash also allows websites to track you in ways that are harder to block with standard tools.

In the event that you really, really, really need Flash for some reason, you should minimize your risk by enabling click-to-play.

Scenario: Your browser is redirected to a malicious page with an invisible Flash applet that exploits a security flaw. You visit the page, and your computer is silently compromised.

Firefox: Add-ons > Plugins > “Ask To Activate” or “Never Activate”.

Chrome/ium: Settings > Advanced Settings > Content Settings > Plug-ins > “Let me choose when to run plug-in content”.

Flash is slightly less dangerous in Chrome/ium since it runs in a sandbox.


Disabling Javascript prevents many attacks, but also breaks most websites.

Running Javascript on HTTP sites is dangerous since anyone between you and the website can inject their own scripts that run in your browser.

In Chrome/ium, it's possible to block Javascript on all insecure sites: Settings > Advanced Settings > Content Settings > JavaScript, select “Do not allow any site to run Javascript”, then “Manage Exceptions” and add “[https://]*”. This blocks all JS and then allows it on secure connections.

In Firefox, NoScript allows you to block Javascript.

The Tor Browser has a slider that allows you to adjust your security level, including blocking insecure Javascript


Use OTR over Jabber/XMPP – see the Safe Hub Collective guide


Anonymity network; anonymity vs. privacy

How Tor works:


Anonymous Live-USB operating system with Tor