Glossary

Identifying a browser instance by the combination of its properties — fonts, screen size, plugins, WebGL renderer, etc. Even with cookies disabled, the unique combination can re-identify the same user. Tor Browser and Mullvad Browser minimize fingerprintable surface.

See also: Tor, tracker

When DNS queries bypass your VPN tunnel and reach your ISP's resolver, revealing which sites you are visiting even though traffic is otherwise tunneled. Modern VPN clients all handle this, but it is worth verifying with a leak-test page after install.

See also: Virtual Private Network (VPN), dns-over-https

A forwarding address that lets you sign up to services without revealing your real address. If an alias starts getting spam, you can disable it without affecting anything else. SimpleLogin and AnonAddy are alias-only services; Proton Pass and iCloud+ ship built-in alias generators.

See also: disposable-email, Metadata

Encryption where only the sender and recipient hold the keys; the intermediate server cannot decrypt the content. "End-to-end" is a property of the protocol, not a marketing label — many "encrypted" services encrypt in transit and at rest but still hold the keys.

See also: transport-encryption, Zero-Knowledge / Zero-Access Encryption

The modern standard for phishing-resistant authentication using hardware security keys or platform authenticators (e.g. Touch ID). Each site gets its own keypair, so credentials cannot be reused across sites or replayed by a phishing page.

See also: Multi-Factor Authentication (MFA / 2FA), passkey, yubikey

A VPN feature that blocks all traffic if the VPN tunnel drops, preventing your real IP from being exposed during reconnects. Essential for any threat model where leaking your real IP matters.

See also: Virtual Private Network (VPN), DNS Leak

Information about a communication other than its content — who, when, from where, to whom, message size, subject line. End-to-end encrypted messengers protect content but typically leak some metadata (e.g. who-talks-to-whom).

See also: End-to-End Encryption (E2EE), traffic-analysis

Login that requires more than one factor: something you know (password), something you have (security key, phone app), or something you are (biometric). TOTP-app codes are good; SMS codes are weak because of SIM-swap attacks.

See also: totp, FIDO2 / WebAuthn, sim-swap

A VPN provider's claim not to retain logs that could tie a session to an account. "No-logs" is meaningful only when an independent auditor has examined the actual infrastructure — the claim alone is just marketing.

See also: Virtual Private Network (VPN), warrant-canary

A service reachable only inside the Tor network, identified by a .onion address. Both endpoints stay inside Tor, so neither party reveals an IP to the other or to an exit node.

See also: Tor, exit-node

The discipline of identifying which behaviors give an adversary useful information and changing them. OpSec failures (logging into a clearnet account from Tor, reusing a username across personas) defeat technical controls.

See also: Threat Model

A structured statement of who you are protecting yourself from, what they are likely to try, and what you are willing to do about it. Without a threat model, every privacy product looks equally important; with one, most fall away as irrelevant for your situation.

See also: adversary, Operational Security (OpSec)

A volunteer-operated overlay network that routes traffic through three relays, each only knowing its immediate neighbors. Provides much stronger sender anonymity than a VPN at a substantial latency and bandwidth cost.

See also: Virtual Private Network (VPN), Onion Service, exit-node

An encrypted tunnel between your device and a server operated by a VPN provider. The provider becomes your effective ISP for traffic inside the tunnel. A VPN moves trust from your ISP/network to the VPN operator — it does not by itself make you anonymous.

See also: Tor, No-Logs Policy, Kill Switch

An architecture where the service provider cannot read user data even if compelled to. Achieved by encrypting client-side with keys derived from the user's password before upload. Proton Mail, Tutanota, and Bitwarden use this model.

See also: End-to-End Encryption (E2EE), client-side-encryption