What Husk protects, and what it doesn't.
Most "private browser" pages list features. This one tries to be honest about the threat model — what's actually defended, and what still leaks. If you're going to trust a browser with your sealed profile, you deserve to know where the edges are.
Things Husk will never do.
- No telemetry. Husk does not phone home. Not for crash reports, not for usage stats, not for "to improve the product". The binary has no analytics SDK because we didn't ship one.
- No account. There is no "sign in to Husk". Profiles are local. Sync is not a feature.
- No password reset. Encrypted profiles use a single phrase. Lose it, lose the profile. We can't recover it because the design refuses to give us that power.
- No ad-funded mode. Husk is free because it's small. It isn't free because someone else is paying for your attention.
Who Husk is built against.
A passer-by at your unattended machine
Encrypted profiles, F9 boss key, fake-vault on duress phrase. Someone who sits down at your unlocked Windows session can't read sealed profiles or wipe them without the phrase.
Trackers, ads, and behavioural fingerprinting
Native adblock + DoH cuts the trackers' JS and the DNS query that fetches it. Canvas/font/audio/UA spoofing makes fingerprint matching unreliable across sessions, and a long-press reload rotates the seed on demand.
Forensics on a stolen powered-off machine
Sealed profiles are useless without the phrase. The temp dir an unlock materializes is wiped on lock — and any leftover from a crash is swept on the next boot.
Untrusted code on your own machine
Malware running as your user can read process memory and key-log your phrase. Husk uses memory hygiene (zeroing on lock) but no browser can win against a co-resident attacker on the same OS user. This is a Windows-level threat, not a browser one.
Network-level adversaries
DoH hides your DNS queries from your ISP and local network. The HTTPS request itself is still visible by destination IP (and SNI on older clients). Husk is not Tor — if you need IP unlinkability, route Husk through a VPN or use Tor Browser.
Server-side tracking after you log in
Once you sign into a service, that service knows it's you. Husk can't protect you from a site you've authenticated to. Anti-fingerprint and tracker blocking matter between logins; they don't pretend to make a logged-in session anonymous.
State-level adversaries
Husk is a privacy tool, not a counter-intelligence one. If a nation-state is in your threat model, you need an opsec stack and operational discipline, not a browser. Husk helps reduce ambient surveillance; it does not promise resistance against targeted attacks with unlimited resources.
What we use, why, and where to read it.
| Key derivation | Argon2id — 64 MB memory, 3 iterations, 4 lanes |
|---|---|
| Symmetric cipher | ChaCha20-Poly1305 (AEAD, 256-bit key, 96-bit nonce) |
| Associated data | husk-profile-v1 (version-bound, can't downgrade) |
| Profile format | HPRF magic · version · salt · nonce · ct · tag |
| Crate | RustCrypto — argon2, chacha20poly1305 |
| Source | github.com/runhusk/husk-crypto |
The vault and profile-encryption code is open source. The rest of the browser (UI, multi-window, interceptor) is closed for now — not for security reasons but to keep a small project's positioning defensible. The trust-critical surface — the part that decides whether "encrypted" is true — is the part we publish.
The rendering engine is Chromium.
Husk uses WebView2 — Microsoft's distribution of the Chromium engine — for HTML rendering. This is a deliberate compromise: writing a new web engine is a multi-decade project, and the alternatives (Servo) aren't production-ready.
What we do not ship: Edge's telemetry, Microsoft account integration, sync, or any of the data-collection Chrome gets fed by default. The renderer is Chromium; the privacy layer on top is entirely Husk's. The day a non-Chromium engine is production-viable for embedding, we'll be the first to switch.