Glossary

A program that runs all the other programs on a computer or device. Windows, Linux, Android and Apple's macOS and iOS are all examples of operating systems.

The keys of public key cryptography are very large numbers, sometimes a thousand or more digits long. A fingerprint is a much smaller number or set of numbers and letters that can be used as a unique name for that key, without having to list all of the key's digits. So, for instance, if you and a friend wished to make sure you both had the same key, you could either spend a long time reading off all the hundreds of digits in the key, or you could each compare your key's fingerprints instead. The fingerprints presented by cryptographic software usually consist of around 40 letters and numbers. If you carefully check that a fingerprint has the right value, you should be safe against impersonation using a fake key. Some software tools may offer more convenient alternative ways to verify a friend's key, but some form of verification needs to happen to prevent communications providers from easily being able to listen in.

Passwords are usually semi-permanent: once you set them up, you can keep using them until you manually change or reset them. One-time passwords only work once. Some one-time password systems work by having a tool or program that can create many different one-time passwords, that you use in turn. This is useful if you're afraid that there may be a keylogger on a system where you have to type in a password .

A tool that protects a computer from unwanted connections to or from local networks and the internet. A firewall might have rules that forbid outgoing email, or connections to certain websites. Firewalls can be used as a first line of defense to protect a device from unexpected interference. They can also be used to prevent users from accessing the internet in certain ways.

In computer security, an attack is a method that can be used to compromise security. An attacker is the person or organization using an attack. An attack is sometimes called an "exploit."

An email address you use once, and never again. This is often used to sign up to internet services without revealing an email address connected to your identity.

A way of thinking about the sorts of protection you want for your data so you can decide which potential threats you are going to take seriously. It's impossible to protect against every kind of trick or adversary, so you should concentrate on which people might want your data, what they might want from it, and how they might get it. Coming up with a set of possible threats you plan to protect against is called threat modeling or assessing your risks.

Make a scrambled message or data intelligible. The goal of encryption is to make messages that can only be decrypted by the person or people who are meant to receive them.

To supplement passwords, some systems use “security questions” that are supposed to act as a backup for account access in case you forget your password, or as a way to further check your identity even when you do provide a password. These are queries to which only you are supposed to know the answer. The problem with security questions is that they are really just extra passwords that have potentially guessable or discoverable answers. We recommend you treat them as any other password: create a long, novel, random, phrase to answer them, and record that somewhere safe. So the next time your bank asks you your mother's maiden name, you should be ready to answer something like "Correct Battery Horse Staple."

When talking about computer security, a “backdoor ” refers to a way to access software or hardware that is generally not visible to the user. This can have legitimate uses, like opening up troubleshooting tools, but can also be maliciously created to weaken security, or access data without a user knowing about it.

Any technology that allows you to use the internet for voice communication with other VoIP users or receive telephone calls over the internet.

The various properties of your web browser and computer that a website can notice when you visit. They may be slightly different from other browsers or computers, which can be a way to recognize you even if you didn't log in, even if your computer doesn't save cookies , and even if you connect to the Internet from a different network in the future. For example, you might be the only person who visits a particular site from a device set to a particular language, with a particular screen size, and using a particular web browser version; then the site could realize that it's you whenever you visit, even if you don't do anything else to reveal your identity.

Cookies are a web technology that let websites recognize your browser. Cookies were originally designed to allow sites to offer online shopping carts, save preferences, or keep you logged on to a site. They also enable tracking and profiling so sites can recognize you and learn more about where you go, which devices you use, and what you are interested in—even if you don't have an account with that site, or aren't logged in.

In public key cryptography, each person has a set of keys. To send a message securely to a particular person, you encrypt your message using their public key. An attacker may be able to trick you into using their key, which means that they will be able to read your message, instead of the intended recipient. That means that you have to verify that a key is being used by a particular person. Key verification is any way that lets you match a key to a person.

Encrypting data as it travels across the network, so that others spying on the network (such as a hacker at a coffee shop, or your ISP) cannot read it.

A flaw in a piece of software or hardware that was previously unknown to the maker of the product. Until the manufacturers become aware of the flaw and fix it, attackers can use it for their own purposes.

The program you use to view websites on the internet. Firefox, Safari, Edge, and Chrome are all web browsers.

End-to-end encryption ensures that a message is turned into a secret message by its original sender, and decoded only by its final recipient. Other forms of encryption may depend on encryption performed by third-parties. That means that those parties have to be trusted with the original data. End-to-end encryption is generally regarded as safer, because it reduces the number of parties who might be able to interfere or break the encryption.

If you've ever seen a web address spelled out as “http://www.example.com/”, you'll recognize the “http” bit of this term. HTTP (hypertext transfer protocol ) is the way a web browser on your machine talks to a remote web server. Unfortunately, standard http sends text insecurely across the internet. HTTPS (the S stands for “secure”) uses encryption to better protect the data you send to websites, and the information they return to you, from prying eyes.

Any kind of information, typically stored in a digital form. Data can include documents, pictures, keys, programs, messages, and other digital information or files.

Open source software, or free software , is software that can be distributed freely in a form that lets others modify it and rebuild it from scratch. While it is known as “free software," it's not necessarily free as in zero-cost: FLOSS programmers can ask for donations, or charge for support or for copies. Linux is an example of a free, open source program, as are Firefox and Tor.

A computer or network that is physically isolated from all other networks, including the internet, is said to be air-gapped.

A property of a secure messaging system which ensures that your past communications can remain secure even if one of the secret keys is stolen later. Forward secrecy works by using the participant’s secret keys to generate a new key, which is only used for the current conversation and destroyed afterwards, rendering old messages impossible to decrypt . For HTTPS websites, forward secrecy is an important protection against adversaries like intelligence agencies which may record large amounts of traffic and use a stolen key to decrypt it. For instant messaging and chat systems, forward secrecy is necessary to ensure that deleted messages are really deleted, but you will also need to either disable logging or securely delete past messages.

"Something you know, and something you have." Login systems that require only a username and password can be vulnerable to someone else obtaining (or guessing) those pieces of information. Services that offer two-factor authentication also require you to provide a separate confirmation that you are who you say you are. The second factor could be a one-off secret code that is sent to you via email or text, a number generated by a program running on a mobile device, or a separate device, such as a USB authentication token that you carry and that you can use to confirm who you are. Companies like banks, and major internet services like Google, PayPal, and Facebook offer two-factor authentication .

An add-on is a piece of software that modifies other software by changing how it works or what it can do. Often add-ons can add privacy or security features to web browsers or email software. Some add-ons are malware , so be careful to install only those that are reputable and from official sources.

A type of malware designed to prevent a device owner from accessing their own data, with the hope of extracting a “ransom” in exchange for the promise of allowing access to it once again. It is deployed to lock data by encrypting it with a key unknown to the device owner, so that the attacker can ask for a ransom payment to unlock that data. These attacks may target a home computer or corporations.

A passphrase is a kind of password. We use "passphrase" to convey the idea that a password which is a single word is far too short to protect you and a longer phrase is much better. The webcomic XKCD has a good explanation. http://xkcd.com/936/

A command and control server (C&C or C2 ) is a computer that gives orders to malware-infected devices and receives information from those devices. Some C&C servers control millions of devices.

A type of cyberattack where an adversary sends a message (via email, text message, etc), file, or link that looks innocent, but is actually malicious. The term itself comes from “fishing,” because an adversary uses a “lure” to trick someone into opening an attachment, clicking a link, entering a password, or other methods meant to trick people into handing over information or access to a machine.

To receive encrypted messages using public key cryptography (and to reliably inform others that a message genuinely came from you), you need to create two keys. One, the private key, you keep secret. The other, the public key, you can let anyone see. The two keys are connected mathematically, and are often collectively known as a "keypair."

Filtering is a polite term for blocking or censoring internet traffic. Virtual Private Networks or services like Tor are sometimes used to access internet communications that would otherwise be filtered.

A device on the internet needs its own address to receive data, just like a home or business needs a street address to receive physical mail. This address is its IP (Internet Protocol) address. When you connect to a website or other server online, you usually reveal your own IP address. This doesn't necessarily reveal either your identity (it's hard to map an IP address to a real address or a particular computer), but it can be combined with other pieces of information to identify you. An IP address can give away some information about you, however, such as your rough location or the name of your Internet Service Provider (ISP). Services like Tor let you hide your IP address, which helps give you anonymity online.

In threat modeling, an asset is any piece of data or a device that needs to be protected.

Historically, computers stored data on rotating magnetic discs. Mobile devices and increasing numbers of personal computers now store permanent data on non-moving drives. These SSD drives much faster at read and write operations than magnetic storage. Unfortunately, it can be more difficult to reliably and permanently remove data from SSD drives.

An older method for copying files from a local computer to a remote one, or vice versa. The job of FTP programs (and the FTP servers that stored the files) have mostly been replaced by web browsers and web servers, or file synchronising programs like Dropbox.

A sequence of letters or numbers that represent a public key. Some privacy tools let you check the match between someone's key fingerprint as seen by your device and by their device. The purpose of this check is to prevent a man-in-the-middle attack , where someone tricks you into using the wrong key.

A type of spyware that is marketed and sold to consumers as a way to secretly spy on a phone or computer belonging to one's spouse, partner, or sometimes children. 

Traditional encryption systems use the same secret, or key, to encrypt and decrypt a message. So, if a file gets encrypted with the password “bluetonicmonster,” you would need both the file and the password "bluetonicmonster" to decode it. Public key encryption uses two keys: one to encrypt, and another to decrypt. When you sign up to an encrypted messaging service, your phone keeps the key to decrypt messages safely hidden, and sends out the key to encrypt messages to you, so anyone with that key can talk to you securely. The key your phone sends out is known as the "public key": hence the name of the technique. Public key encryption is used to encrypt Signal and WhatsApp messages, and used to enable HTTPS using TLS for web browsing.

A method of hacking into an account or device by trying different combinations of letters, words, characters, or raw “binary” data to guess passwords. This might include randomly guessing passwords, using a “dictionary” of common passwords, or even using a list of passwords that are specially generated using personal data on the target of the hack.

When you're using public key encryption, it's important to be sure that the key you use to encrypt a message really belongs to the recipient (see key verification). PGP makes this a little easier by having a way to tell others "I believe this key belongs to this person, and if you trust me, you should believe that too." Telling the world that you trust someone's key is called "signing their key," which means anyone who uses that key can see you vouched for it. To encourage everyone to check and sign each other's keys, PGP users organize key-signing parties.

Analogy: It's like a networking party, where you introduce your friends to other friends.

Where data—including personal files such as documents, notes, and pictures— is stored, usually locally, on your computer or other device.

A method for taking a website or other internet service offline by coordinating many different computers to request or send data to it simultaneously. Usually the computers used to conduct such an attack are remotely controlled by people who have taken over the machines by breaking into them, or infecting them with malware.

The technology that permits you to maintain a secure, encrypted connection between your computer and some of the websites and internet services that you visit. When you're connected to a website through this technology, the address of the website will begin with HTTPS rather than HTTP. Officially, its name was changed to Transport Layer Security (TLS) in 1999, but many people still use the old name.

The address, in words or letters, of a website or internet service; for example: ssd.eff.org

When protected data is improperly disclosed or is accessed and taken without permission. Most often this refers to data—including passwords, phone numbers, social security numbers, and more—being taken from a provider of a service, like an online store, hospital, bank, or streaming service. A data breach can also refer to data exposures where information isn’t properly secured (like data stored online without a password).

A communications protocol is a way of sending data between programs or computers. Software programs that use the same protocol can talk to each other. For example, web browsers and web servers speak the same protocol, called “http.” Some protocols use encryption to protect their contents. The secure version of the http protocol is called “https.”

Metadata (or "data about data") is data that describes a piece of information, apart from the information itself. So, the content of a message is not metadata , but who sent it, when, where from, and to whom, are all examples of metadata. Legal systems often protect content more than metadata: for instance, in the United States, law enforcement needs a special warrant to listen to a person's telephone calls, but claims the right to obtain the list of who you have called far more easily. However, metadata can often reveal a great deal, and will often need to be protected as carefully as the data it describes. The U.S. legal system is slowly recognizing this.

In software, a vulnerability refers to a type of security flaw, poor configuration, or bug that allows for the software to be exploited or behave in a way that breaks the security of the software.

The use of a mathematical technique to verify that some information legitimately came from someone in possession of a specific cryptographic key (usually linked to their identity), and to confirm that it wasn't altered in any way. Digital signatures may be used with software downloads to make sure that the software you're installing is the same as the official version, and that nobody has tampered with it. When information isn't protected by a digital signature, an attacker could change the contents of what someone wrote or published, and there wouldn't be a technical means to detect that this happened.

A piece of information that is used to convert a message into an unreadable form. In some cases, you need the same encryption key to decode the message. In others, the encryption key and decryption key are different.

Malware is short for malicious software: programs designed to conduct unwanted actions on your device. Computer viruses are malware. So are programs that steal passwords, secretly record you, or delete your data.

To scramble information or a message mathematically so that it seems meaningless, but can still be restored to its original form by a person or device that possesses a piece of data that can unscramble it (a key.) This limits who can access the information or message because without the right key, it is nearly impossible to reverse the encryption and recover the original information. Encryption is one of several technologies that make up the field called cryptography .

PGP or Pretty Good Privacy was one of the first popular implementations of public key cryptography. Phil Zimmermann, its creator, wrote the program in 1991 to help activists and others protect their communications. He was formally investigated by the U.S. government when the program spread outside the United States. At the time, exporting tools that included strong public key encryption was a violation of U.S. law.

PGP continues to exist as a commercial software product. A free implementation of the same underlying standard that PGP uses called GnuPG (or GPG) is also available. Because both use the same interchangeable approach, people will refer to using a “PGP key” or sending a “PGP message”, even if they are using GnuPG.

A small, removable chip that can be inserted into a mobile device in order to provide service with a particular mobile phone carrier. SIM (subscriber identity module) cards can also store phone numbers and text messages. SIMs are increasingly also available digitally, where they’re called eSIMs (electronic subscriber identity module).

Your adversary is the person or organization attempting to undermine your security goals. Adversaries can be different, depending on the situation. For instance, you may worry about criminals spying on the network at a cafe, or your classmates logging into your accounts on a shared computer at a school. Often the adversary is hypothetical.

Services such as email, web, and access to files and printers that are accessible from within a company or large institution's local network, but not to the wider internet. Most companies take this as being sufficient security to protect their internal documents, but this means that any attack that can connect to the intranet can access or interfere with all the information being kept locally. An example of such an attack is tricking an employee to install malware on their laptop. To allow employees to access the intranet via the wider internet, companies will often provide their own Virtual Private Network (VPN ) which creates a secure connection to the inside of the intranet from anywhere in the world.

SSH (or Secure Shell) is a method for letting you securely control a remote computer via a command line tool. One of the features of the SSH protocol is that as well as sending commands, you can also use it to securely relay Internet traffic between two computers. To set up an SSH link, the remote system needs to operate as an SSH server, and your local machine needs an SSH client program.

Software that attempts to protect a device from being taken over by malicious software (or “malware"). Viruses were some of the first and most prevalent forms of malware; they were named viruses to reflect the way they would spread from device to device. These days most antivirus software concentrate on warning you if you are downloading a suspicious file from an external source, and examining files on your computer to see if they match the software's idea of what malware looks like.

Antivirus software can only recognize malware if it is similar to samples that the antivirus developer has already analyzed. This makes it far less effective at combating targeted malware designed to infiltrate a particular community or person, rather than more widespread strains of malware. Some advanced malware can also actively attack or conceal itself from antivirus software.

A sequence of letters and numbers that mathematically represent the contents of a file. Changing the file even a tiny bit will completely change its fingerprint . Checking the fingerprint of a file that you've downloaded, such as a software application or extension, helps to make sure that you got the file that you intended, and that nobody has tampered with it while it was being downloaded.

A virtual private network is a method for connecting your computer securely to the network of an organization on the other side of the internet. When you use a VPN, all of your computer's internet communications are packaged together, encrypted, and then relayed to this other organization, where they are decrypted, unpacked, and then sent on to their destination. To the organization's network, or any other computer on the wider internet, it looks like your computer's request is coming from inside the organization, not from your location.

VPNs are used by businesses to provide secure access to internal resources (like file servers or printers). They are also used by individuals to bypass local censorship, or defeat local surveillance.

When you visit a website, your browser sends some information to that site's operators—your IP address, other information about your computer, and cookies that link you to previous visits using that browser, for instance. If the website includes images and content taken from other web servers, that same information is sent to other websites as part of downloading or viewing the page. Advertising networks, analytics providers, and other data collectors may gather information from you in this way.

You can install additional software that runs alongside your browser and will limit how much information is shared with third-parties in this way. The most well-known examples are programs that block advertisements. EFF offers a tool called Privacy Badger which is another traffic-blocking extension.

If you're planning on securing data on your local device, you could choose to just encrypt a few important files, or you could encrypt everything on the computer. “Full disk encryption” is the term for encrypting everything. It's usually safer (and often easier) to use full disk encryption than to manage just a few individually encrypted files. If you encrypt individual files, your computer might make temporary unencrypted copies of those files without you noticing. And some software might keep some unencrypted records about your use of your computer. Apple's macOS, Linux, and some versions of Windows all have built-in full disk encryption, but it is usually not turned on by default.

Also called a “machine-in-the-middle attack,” this refers to a type of attack where an adversary intercepts communications sent between you and your intended recipient, then sends them on after interception, so that neither you nor the recipient know there is a “man in the middle” Men-in-the-middle can spy on communications or even insert false or misleading messages into your communications. Security-focused internet communications software needs to defend against the man-in-the-middle attack to be safe against adversaries who have control of any part of the Internet between two communicators.

As an example, suppose you believe you were speaking to your friend, Bahram, via encrypted instant messenger. To check if it's really him, you ask him to tell you the city where you first met. "Istanbul" comes the reply. That's correct! Unfortunately, without you or Bahram knowing, someone else online has been intercepting all your communications. When you first connected to Bahram, you actually connected to this person, and she, in turn, connected to Bahram. When you think you are asking Bahram a question, she receives your message, relays the question to Bahram, receives his answer back, and then sends it to you. Even though you think you are communicating securely with Bahram, you are, in fact, only communicating securely with the spy, who is also communicating securely to Bahram! This is the man-in-the-middle attack.

Some forms of digital storage, like the flash memory used in solid-state drives (SSD) and USB sticks, can wear out if overwritten many times. Wear leveling is a method that spreads the writing of data evenly across all of the media to prevent one part of it being overwritten too many times. Its benefit is that it can make devices last longer. The danger for security-conscious users is that wear leveling interferes with secure erase programs, which deliberately try to overwrite sensitive files with junk data in order to permanently erase them. Rather than trusting secure erase programs with files stored on SSD or USB flash drives, it can be better to use full-disk encryption. Encryption avoids the difficulty of secure erasing by making any file on the drive difficult to recover without the correct passphrase.

The art of designing secret codes that let you send and receive messages to a recipient without others being able to understand the message.

A malicious program or piece of hardware that records everything you type into a device, including passwords and other personal details, allowing others to secretly collect that information. (The "key" in keylogger refers to the keys you have on your keyboard.) Keyloggers are often malware that users have been tricked into downloading and running, or occasionally physical hardware secretly plugged into a keyboard or device.

A phone that is not connected to your identity, is only used for a small set of calls or activities, and can be discarded if and when it is suspected of being tracked or compromised. Burner phones are often pre-paid mobile phones bought with cash.

IMAP is the way that many email programs communicate with services that send, receive, and store your email. By changing the IMAP settings on your email program, you can choose to load email from different servers or set the level of security and encryption used to transfer the mail across the internet to you.

A tool that can encrypt and store your passwords using a single master password, making it practical to use many different passwords on different sites and services without having to memorize them.

The "command line" is a way of giving a computer a series of small, self-contained orders. To use a command line tool , the user types a command into a window called a terminal emulator, hits the return or enter key , and then receives a textual response in the same window. Windows, Linux, and Mac computers still run software using this interface, and even some mobile phones can do the same with the right app. The command line can be used to run software pre-packaged with your operating system . Some downloadable programs, especially technical utilities, use the command line instead of a more familiar "icons and buttons" user interface. The command line requires you to type in exactly the right set of letters and numbers to get the correct result, and it can be unclear what to do if the responses don't match your expectations.

Most devices let you delete data from them—for instance, you can drag a file to the Trash icon, or press delete in a photo album. But deletion does not always mean that the original data is gone. Undelete programs are applications that can be used by the device's owner, or others with access to the device, to restore some data. Undelete programs are useful for those who accidentally delete their own data, and to those whose data might have been sabotaged, such as a photographer who has been compelled to remove images from their camera. However, those same programs can be a threat to anyone who wants to permanently erase confidential data.

A way to confirm automatically that a public key is correct (is really the one that's used by a particular entity) in order to prevent man-in-the-middle attacks. Most often used by websites to prove to your browser that you have a secure connection to the real site, and not to some other system that's tampering with your connection.

A secret meant to be memorized or otherwise protected and kept private, and meant to limit access to something so that only someone who knows the password can gain access. It might limit access to an online account, a device, or something else. A long password based on multiple words may also be called a "passphrase" to remind us that it's not just one "word." A master password is a main password used to unlock other passwords in a password manager or password safe application.

A name that you choose to use in some context (like an online forum) and that others may come to recognize, but that isn’t connected to names that people know you by in your day-to-day life.

The capability of an attacker (in the sense we use it in this guide) is what the attacker is able to do to achieve its aims. For example, a country's security services might have the capability to listen to telephone calls while a neighbor may have the capability to watch you from their window. To say that an attacker “has" a capability does not mean that they will necessarily use that capability. It does mean that you should consider and prepare for the possibility.

A type of malware designed to surveil a device without the user knowing about it. As a term, spyware is used in a variety of ways, including in reference to mercenary spyware designed by private companies for government agents to monitor targets, and commercial spyware that monitors how employees or students use computers. Spyware can have multiple capabilities including downloading data from a device, tracking the devices location, secretly turning on the microphone and camera, and reading encrypted text messages.

Instant messaging systems are often unencrypted. Off-the-Record Messaging (OTR) is a way of adding encryption to them, so that you can keep using familiar networks but with your messages more resistant to surveillance.

A private service that offers to securely relay your internet communications via their own network. A VPN may be hosted in a foreign country, which is useful both for protecting communications from a local government, and bypassing national censorship. The downside is that the traffic is decrypted at the commercial VPN's end. That means you need to trust the commercial VPN (and the country where it is located) not to spy on your traffic.

In computer security, risk analysis is calculating the chance that threats might succeed, so you know how much effort to spend defending against them. There may be many different ways that you might lose control or access to your data, but some of them are less likely than others. Conducting a risk assessment means deciding which threats you are going to take seriously, and which may be too rare or too harmless (or too difficult to combat) to worry about. See threat modeling .

A website that lets its users access other, blocked or censored websites. Generally, the web proxy will let you type a web address (or URL) onto a web page, and then redisplay that web address on the proxy page.