A ground-up web browser built in Rust around one principle — nothing leaves your machine unless you tell it to. No accounts, no sync servers, no telemetry pings. Bookmarks, history, vault, sessions — all local. Tracking parameters stripped before the request even fires.
No analytics, no crash reporting, no phone-home. The binary makes network requests only to the pages you navigate to and the DoH resolver you pick.
Ad networks, tracking pixels, fingerprinting scripts blocked at the navigation layer. Filter rules bundled in the binary — no external list downloads.
Encrypted DNS by default with Cloudflare, Google, or Quad9. Your resolver can’t see plaintext queries; your ISP can’t build a browsing profile.
AES-256-GCM password vault with PBKDF2-HMAC-SHA256 (600,000 iterations). Master password never stored — only the derived key lives in memory while unlocked.
Private browsing mode keeps history, cookies, and cache out of persistent storage. Tracking parameters (UTM, fbclid, gclid) are stripped on every request.
Isolated data directories per profile — separate bookmarks, history, vault, and session. Create, switch, rename, and delete without ever crossing streams.
The source tree is organized into seven isolated pillars. Each pillar has a single responsibility and communicates over an explicit IPC boundary.
| PILLAR | ROLE |
|---|---|
| UI | HTML/CSS/JS chrome (webview) or native egui chrome (servo-engine) |
| Communication | IPC protocol (70+ message types) + DNS-over-HTTPS resolver |
| Storage | Bookmarks, history, sessions, downloads, profiles — local only |
| Encryption | AES-256-GCM vault, PBKDF2-HMAC-SHA256 KDF, encrypted autofill |
| Platform | OS windowing: tao+wry or winit+wgpu+egui compositor |
| Engine | Tabs, ad blocker, extensions, permissions, devtools, app launcher |
| Media | Audio/video playback hooks (v0.5+ roadmap) |
| PARAMETER | DETAILS |
|---|---|
| Type | Privacy-First Web Browser |
| Language | Rust 2021 (single binary) |
| Platforms | Windows, macOS, Linux |
| Rendering | WebView (tao + wry 0.46) • Servo-egui (winit + wgpu + egui) planned |
| DNS | DoH via Cloudflare, Google, Quad9 — pick your resolver |
| Encryption | AES-256-GCM • PBKDF2-HMAC-SHA256 • 600,000 iterations |
| Ad Blocking | Navigation-layer filter • built-in rules • no external fetch |
| Tracking Strip | UTM, fbclid, gclid, and 20+ click-ID params removed from every URL |
| Storage | Local only — OS config dir • no cloud, no sync |
| Profiles | Isolated data dirs • unlimited profiles |
| Telemetry | None — zero analytics, zero crash pings, zero ID pings |
| License | CC BY-NC 4.0 (source-available, non-commercial) |
A single Rust binary opens a native window. The chrome (toolbar, URL bar, tab strip) is injected as a shadow-DOM overlay so no site can tamper with it.
DNS queries go out over HTTPS to the resolver you picked. Requests are scrubbed of tracking parameters before the socket opens.
The ad blocker runs at the navigation layer, not as a content extension. Known ad networks, pixels, and fingerprinting scripts are cancelled before they fetch.
Bookmarks, history, vault, sessions — every byte lands in your OS config directory. No account, no sync, no backup you didn’t ask for.
A single Rust binary with a native window. No runtimes, no Electron, no bundled Chromium download.
Open source under CC BY-NC 4.0 • source available on GitHub • non-commercial use