Browser fingerprinting defense: what we ship, what we do not
Most fingerprinting posts oversell the defense. This one is the opposite. Here is what Maho blocks, what Maho cannot block, and where the arms race still wins.
Most fingerprinting posts oversell the defense. This one is the opposite. Here is what Maho blocks, what Maho cannot block, and where the arms race still wins.
We described the shape of Maho sync in an earlier post. This is the long version. Real primitives, real wire format, real threat model.
Firefox built the user-agency case for the page-rendering era. Maho is building it for an era where the browser also runs models and tools. Both arguments are still right.
Most browsers store history in a plain SQLite file. That is fine until the laptop is lent, lost, or imaged. Maho draws the encryption line one layer earlier.
An account is a price most browsers make you pay for sync. We did not want to charge it. This is how the alternative works.
Agentic browsers fail in four shapes. The shapes are old. The defenses are not magic. Here is what each looks like in the wild and how the Maho host responds.
Zero telemetry is a phrase that gets attached to a lot of browsers. This is the inventory of every endpoint, what we did with it, and how you verify.
An agentic browser that does not ask is not safe. An agentic browser that asks too much is not usable. The middle is engineering work, not a slogan.
Brave Leo and the Maho side panel both promise privacy plus AI. They reach that promise from opposite directions. One bundles, one brings your own.
We removed every false ‘open source’ claim from this site. That left a question. If you cannot read the source, how do you trust the claims? This is the procedure.