the security model
Sealed by design.
The claims on the front page, with their mechanisms attached. Short version: your key never leaves your Vault, the relay only ever holds ciphertext, and we track Chromium security releases within 72 hours.
identity
Sign-in is PKCE, end to end.
Surferse is a public OAuth 2.1 client against uniauth.id. Every authorization request carries a fresh proof-key challenge; the code that comes back can only be redeemed with the matching verifier, which is single-use and never touches disk.
- 01surferse://signin
- 02uniauth.id/authorize
- 03code + verifier exchanged
- 04identity reflected
Refresh tokens are sealed in the OS keychain (patch 031). Signing out revokes them and leaves your synced data sealed behind the Vault key.
keys
Derived in the Vault. Never uploaded.
Your sync key is computed inside your UniAuth Vault from your own secret. There is no escrow, no "recovery by support", no server-side copy to subpoena.
Vault secretyours alone
→
HKDF-SHA-256info: surferse-sync-v1
→
AES-256-GCMfresh 96-bit nonce per record
- Payloads are padded to fixed sizes — the relay can't infer how much you sync (patch 041).
- Changing your Vault password re-derives the key and re-seals everything (patch 046).
the relay
What relay.uniauth.id can see.
| Your payloads | ciphertext only |
| Payload sizes | fixed-size, padded |
| Account identifier | pseudonymous id |
| Your Vault key | never |
| Your browsing | never — sync carries data, not history |
The honest caveat: like any server, the relay sees connection metadata while you're connected. It is not written into payload storage, and there is nothing useful to read if it were.
the engine
Chromium security, on a 72-hour clock.
Surferse rebases on every Chromium stable security release, typically shipping within 72 hours of upstream. The 58-patch set is kept deliberately small so every rebase can be re-audited in full, by a human, before it ships.
- Site isolation, sandboxing and the rest of Chromium's hardening are untouched.
- Updates come only from
updates.surferse.com, signed, over TLS (patch 053).
- Rebase timing is public in the release notes.
the binary
Signed, notarized, checksummed.
macOS builds are signed with a UniAuth Inc. Developer ID and notarized by Apple. Every release's sha256 is published on the download page and in the release notes — check it before you open anything.
disclosure
Found something? Tell us first.
Coordinated disclosure, 90-day standard window, credit given unless you'd rather not. No legal threats for good-faith research — that's a promise, in writing, here.