The Complete Guide to Online Privacy and Security 2026: VPN, Encryption, 2FA, GDPR, and More

A communication system where only the communicating parties can read the messages. The service provider cannot decrypt the data even if compelled by law. Messages are encrypted on the sender device and decrypted only on the recipient device. Used by Signal, WhatsApp, iMessage, ProtonMail. Protects against server breaches, insider threats, and government surveillance.

A symmetric block cipher adopted by the U.S. government in 2001 (replacing DES). AES uses 128, 192, or 256-bit keys. AES-256 is considered unbreakable with current technology (2^256 possible keys). Used in: HTTPS/TLS, full-disk encryption, password managers, VPNs, and file encryption. Modes: GCM (authenticated), CBC (legacy), CTR. AES-256-GCM is the gold standard.

The protocol that secures HTTPS connections. TLS 1.3 (current) reduced handshake to one round trip, removed insecure ciphers, and made forward secrecy mandatory. The TLS handshake negotiates cipher suite, authenticates the server via certificates, and establishes a shared encryption key. All modern websites should use TLS 1.3. TLS 1.0 and 1.1 are deprecated.

A property of key-agreement protocols ensuring that compromise of long-term keys does not compromise past session keys. Each session uses a unique ephemeral key. Even if the server private key is later compromised, previously recorded encrypted traffic cannot be decrypted. Achieved through Diffie-Hellman Ephemeral (DHE) or Elliptic Curve Diffie-Hellman Ephemeral (ECDHE). Mandatory in TLS 1.3.

A cryptographic method where one party (the prover) proves to another party (the verifier) that they know a value, without conveying any information about the value itself. Applications: password verification without transmitting the password, blockchain privacy (Zcash), and age verification without revealing birth date. Still mostly academic/blockchain but growing in practical applications.

The framework of policies, hardware, software, and procedures needed to create, manage, distribute, and revoke digital certificates. PKI enables: HTTPS (SSL/TLS certificates), email signing (S/MIME), code signing, and document signing. Certificate Authorities (CAs) like Let's Encrypt, DigiCert issue certificates that browsers trust. Certificate Transparency logs make issuance auditable.

A technology that creates an encrypted tunnel between your device and a VPN server, hiding your IP address and encrypting your internet traffic from your ISP and local network. VPNs protect against: ISP surveillance, public Wi-Fi attacks, geographic censorship, and IP-based tracking. They do NOT provide anonymity (the VPN provider can see your traffic) or protect against browser fingerprinting.

A modern VPN protocol that is simpler, faster, and more secure than OpenVPN and IPsec. Uses ~4,000 lines of code (vs. OpenVPN 100,000+), making it easier to audit. Uses modern cryptography: ChaCha20, Poly1305, Curve25519, BLAKE2. Built into the Linux kernel since 5.6. All major VPN providers now support WireGuard as their primary protocol.

A security mechanism requiring two or more verification factors: something you know (password), something you have (phone, hardware key), or something you are (biometric). 2FA dramatically reduces account compromise: accounts with 2FA are 99% less likely to be hacked. Best methods: hardware keys (FIDO2/WebAuthn) or TOTP apps. SMS-based 2FA is vulnerable to SIM-swapping attacks.

A passwordless authentication standard based on public-key cryptography. The device generates a unique key pair for each website. The private key never leaves the device; the public key is stored by the service. Phishing-resistant: passkeys are bound to the website domain and cannot be entered on fake sites. Synced via iCloud Keychain, Google Password Manager, or 1Password. Supported by Apple, Google, Microsoft.

A measure of password strength in bits. Entropy = log2(characters^length). An 8-character lowercase password has ~38 bits of entropy. A 16-character mixed-case+digits+symbols password has ~105 bits. NIST recommends at least 64 bits for standard accounts. A 4-word passphrase ("correct-horse-battery-staple") has ~56-80 bits depending on the word list. Higher entropy = exponentially harder to brute-force.

A social engineering attack where attackers impersonate trusted entities to trick victims into revealing credentials, financial information, or installing malware. Attack vectors: email (most common), SMS (smishing), phone calls (vishing), fake websites, QR codes (quishing). Defense: email filtering, user training, FIDO2/passkeys (phishing-resistant), URL checking, and multi-factor authentication.

Malware that encrypts a victim files and demands payment (usually cryptocurrency) for the decryption key. Modern ransomware groups also exfiltrate data and threaten to publish it (double extortion). Major attacks: Colonial Pipeline (2021), MOVEit (2023). Defense: offline backups (3-2-1 rule), patching, network segmentation, EDR, and incident response plans. Never pay the ransom (no guarantee of recovery, funds criminal enterprise).

A tracking technique that identifies users by collecting browser and device characteristics: screen resolution, installed fonts, WebGL renderer, user agent, timezone, language, canvas rendering, AudioContext. Unlike cookies, fingerprints cannot be easily deleted. Effectiveness: can identify 90%+ of browsers uniquely. Defense: Tor Browser (uniform fingerprint), Brave (randomized), Firefox Resist Fingerprinting mode.

Using HTTP cookies to track users across websites. First-party cookies: set by the visited website (login sessions, preferences). Third-party cookies: set by external domains (ad trackers, analytics). Third-party cookies are being phased out by browsers. Alternatives: Google Topics API, server-side tracking, fingerprinting, and first-party data. Cookie consent banners (GDPR requirement) let users accept/reject cookies.

A protocol that encrypts DNS queries by sending them over HTTPS instead of plaintext UDP. This prevents ISPs, network operators, and attackers from seeing which websites you visit via DNS. Supported by Firefox (default), Chrome, Edge, iOS, Android. DNS providers: Cloudflare (1.1.1.1), Google (8.8.8.8), Quad9 (9.9.9.9). Alternative: DNS over TLS (DoT).

A free, open-source network for anonymous communication. Traffic is encrypted and routed through three volunteer relays (guard, middle, exit), each peeling one layer of encryption. No single relay knows both the source and destination. Provides strong anonymity but slower speeds. Access via Tor Browser. Used by journalists, activists, whistleblowers, and privacy-conscious individuals. .onion sites are only accessible via Tor.

The EU comprehensive data protection law (effective May 2018). Key principles: lawfulness, fairness, transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; accountability. Rights: access, rectification, erasure, portability, objection. Requires Data Protection Officers, Data Protection Impact Assessments, and 72-hour breach notification. Fines up to 4% of global annual revenue.

The principle of collecting only the minimum amount of personal data necessary for a specific purpose. A core requirement of GDPR (Article 5). Example: a newsletter signup needs only an email address, not name, address, phone, and birth date. Data minimization reduces breach impact, simplifies compliance, and builds user trust. "The best protection for data is not to collect it."

A data subject right under GDPR (Article 17) to request deletion of their personal data. Organizations must delete data when: it is no longer necessary for the original purpose, consent is withdrawn, data was unlawfully processed, or there is no overriding legitimate interest. Search engines must delist results about individuals upon request (within the EU). Similar rights exist in CCPA, LGPD, and other regulations.

A security model based on the principle "never trust, always verify." Zero Trust assumes no implicit trust for any user, device, or network, whether inside or outside the corporate perimeter. Key components: micro-segmentation, identity verification for every access request, least-privilege access, continuous authentication, and device health checks. Replaces the traditional "castle and moat" approach. Growing from 5% adoption in 2018 to 55% in 2026.

A social engineering attack where an attacker convinces a mobile carrier to transfer a victim phone number to a new SIM card. This gives the attacker control of SMS-based 2FA codes, allowing account takeover. High-profile victims include crypto holders and executives. Defense: use authenticator apps or hardware keys instead of SMS 2FA, add a PIN to your carrier account, and use a port-freeze feature.

Manipulating people into revealing confidential information or performing actions that compromise security. Techniques: phishing (fake messages), pretexting (fabricating scenarios), baiting (malicious USB drives), tailgating (following authorized people into secure areas), and quid pro quo (offering something in exchange). Human error is the #1 cause of data breaches. Defense: security awareness training, verification procedures, and least-privilege access.

Information collected from publicly available sources for intelligence purposes. Sources: social media profiles, public records, domain registrations (WHOIS), company filings, news articles, leaked databases, and metadata in files. OSINT is used by security researchers, journalists, law enforcement, and unfortunately by attackers to gather information for targeted attacks. Tools: Maltego, Shodan, theHarvester.

Data about data. File metadata includes: creation date, author name, GPS coordinates (photos), device information, and editing history. Email metadata: sender, recipient, timestamps, IP addresses, subject line. Communication metadata (who contacted whom, when, how long) can reveal as much as content. Metadata is often overlooked but is a significant privacy risk. Tools to strip metadata: ExifTool, mat2.

A structured analysis of potential threats and attack vectors specific to your situation. Components: assets (what you protect), adversaries (who threatens you), capabilities (what they can do), and mitigations (your defenses). A journalist facing state surveillance has a different threat model than someone avoiding targeted ads. Your security measures should match your threat model, not paranoia.

Messaging with end-to-end encryption where only participants can read messages. Signal: gold standard, open-source, minimal metadata. WhatsApp: E2EE by Signal Protocol, but Meta collects metadata. iMessage: E2EE between Apple devices. Matrix/Element: open-source, federated, E2EE. Telegram: E2EE only in "Secret Chats" (not default). Key features to verify: default E2EE, open-source, minimal metadata collection, disappearing messages.

An approach that embeds privacy protections into the design of systems and business practices from the start, rather than adding them after the fact. Seven foundational principles (Ann Cavoukian): proactive not reactive, privacy as default, embedded into design, full functionality, end-to-end security, visibility and transparency, respect for user privacy. Required by GDPR (Article 25).

Websites accessible only through the Tor network (.onion addresses). The dark web is a subset of the deep web (content not indexed by search engines). Contains: forums, marketplaces (some illegal), whistleblower platforms (SecureDrop), censorship-resistant publishing, and breach data markets. Not all dark web activity is illegal. Journalists and activists use it for source protection.

An attack that targets less-secure elements in an organization supply chain. Examples: SolarWinds (2020, malicious update), Kaseya (2021, MSP compromise), Log4Shell (2021, library vulnerability), XZ Utils (2024, backdoored compression library). Open-source dependency attacks are growing. Defense: software bill of materials (SBOM), dependency scanning, signed packages, and vendor security assessments.

Encrypting data when it is stored (on disk, in databases, in cloud storage) as opposed to in transit (over a network). Protects against physical theft, unauthorized access to storage media, and certain types of insider threats. Implementations: BitLocker (Windows), FileVault (macOS), LUKS (Linux), AWS KMS, Azure Key Vault. Best practice: use AES-256 and manage encryption keys securely.

A trusted entity that issues digital certificates verifying the identity of websites, organizations, or individuals. Browsers maintain a list of trusted root CAs. When you visit an HTTPS website, the browser verifies the certificate was issued by a trusted CA. Let Encrypt provides free automated certificates. Certificate Transparency logs make all certificate issuance publicly auditable.

A web vulnerability where an attacker injects malicious JavaScript into a website that other users visit. Types: Stored XSS (saved in database), Reflected XSS (in URL parameters), DOM-based XSS (client-side). Impact: session hijacking, data theft, account takeover. Defense: output encoding, Content Security Policy (CSP), HttpOnly cookies, and input validation. One of the OWASP Top 10 vulnerabilities.

An HTTP security header that restricts which resources (scripts, styles, images) a browser can load for a page. CSP prevents XSS by allowing only trusted sources. Example: Content-Security-Policy: script-src 'self' cdn.example.com. Directives: default-src, script-src, style-src, img-src, connect-src, frame-ancestors. Report-only mode (Content-Security-Policy-Report-Only) helps test policies before enforcement.

The winner of the Password Hashing Competition (2015). Argon2 is designed to be resistant to GPU and ASIC attacks by requiring significant memory. Variants: Argon2d (data-dependent, faster), Argon2i (data-independent, side-channel resistant), Argon2id (hybrid, recommended). Parameters: memory cost, time cost, parallelism. Preferred over bcrypt and scrypt for new applications.

Hashing is a one-way function: data goes in, a fixed-size digest comes out, and you cannot reverse it. Used for: password storage, file integrity verification, digital signatures. Encryption is a two-way function: data is encrypted with a key and can be decrypted with the correct key. Used for: protecting data in transit and at rest. Passwords should be HASHED (not encrypted) so they cannot be recovered even if the database is breached.

Email authentication standards that prevent email spoofing. SPF (Sender Policy Framework): specifies which servers can send email for a domain. DKIM (DomainKeys Identified Mail): digitally signs emails to prove they were not altered. DMARC (Domain-based Message Authentication, Reporting, and Conformance): tells receivers what to do when SPF/DKIM fail (none, quarantine, reject). All three should be configured for every domain.

HTTP response headers that browsers use to enforce security policies. Essential headers: Content-Security-Policy (CSP), Strict-Transport-Security (HSTS), X-Content-Type-Options: nosniff, X-Frame-Options (prevent clickjacking), Referrer-Policy, Permissions-Policy. HSTS forces HTTPS and prevents downgrade attacks. Scan your headers at securityheaders.com. Missing security headers are a common and easily fixable vulnerability.

The security principle that every user, process, and program should have only the minimum permissions needed to complete their task. Reduces blast radius of breaches: a compromised read-only account cannot delete data. Applications: database users (read-only vs. admin), cloud IAM policies, file system permissions, and application permissions (camera, microphone, location). Core component of Zero Trust architecture.

A UEFI firmware security feature that ensures only trusted, digitally signed software loads during startup. Prevents bootkits and rootkits that modify the boot process. The firmware verifies the bootloader signature against keys stored in firmware. Supported by Windows (required since Windows 11), Linux (with enrolled keys), and macOS (Apple Silicon). Part of a chain of trust from hardware to OS.

A security measure where a computer or network is physically isolated from unsecured networks, including the internet. Used for: highly classified systems, cryptocurrency cold storage, critical infrastructure (power grids), and secure voting systems. Bridging techniques exist: USB drives, electromagnetic emanations, acoustic signals. True air gaps provide the strongest isolation but sacrifice connectivity.

A documented set of procedures for detecting, containing, eradicating, and recovering from security incidents. NIST framework phases: (1) Preparation, (2) Detection and Analysis, (3) Containment, Eradication, Recovery, (4) Post-Incident Activity (lessons learned). Every organization should have an IRP before a breach occurs. Regular tabletop exercises test the plan. Average time to detect a breach: 197 days (2025).

A company that collects personal information from various sources and sells it to other businesses. Data sources: public records, social media, purchase history, app data, location data. Information sold: demographics, interests, financial status, health indicators. Removing your data: opt-out requests (tedious), services like DeleteMe, Optery. CCPA gives California residents the right to opt out of data sales.

The trail of data you leave when using the internet. Active footprint: social media posts, emails, online purchases (things you intentionally share). Passive footprint: cookies, IP address logs, browsing history, location data (collected without explicit action). Reducing your footprint: use privacy-focused services, limit social media sharing, use VPN/Tor, opt out of data collection, and regularly audit your online presence.

A dedicated cryptographic processor that manages digital keys and performs encryption/decryption operations in a tamper-resistant physical device. HSMs protect the most critical keys (root CA keys, master encryption keys) from extraction. Used by CAs, banks, cloud providers (AWS CloudHSM, Azure Dedicated HSM). FIPS 140-2/3 certified. Keys never leave the HSM in unencrypted form.

A method used by service providers to inform users that they have NOT been served with a secret government order (such as a National Security Letter). The provider publishes a regular statement saying "We have not received any secret orders." If the statement disappears, users can infer that such an order has been received. Legal theory: you cannot be compelled to lie, only to not speak.