We recently discovered, through formal analysis, two new attacks on OAuth (Technical Report). This publication was coordinated with the OAuth Working Group who released a statement on their mailing list and prepared a draft covering the recommended mitigations. The publication of the attacks was also covered in a press release by our university, and some press articles.

Our group hosted an OAuth Security Workshop to discuss these and other findings, background on OAuth security, and future improvements to OAuth in July 2016.

SPRESSO is a secure and privacy-respecting single sign-on system for the Web. We presented SPRESSO at CCS 2015. Read the technical report or try the online demo.

sElect is a lightweight, practical, and verifiable remote voting system. We presented sElect at CSF 2016. Read the technical report or try the online demo.

• 40th IEEE Symposium on Security and Privacy (IEEE S&P 2019)
• 4th OAuth Security Workshop 2019 (OSW 2019)

• 25th ACM Conference on Computer and Communications Security (ACM CCS 2018)
• 17th International Conference on Cryptology and Network Security (CANS 2018)
• 13th International Conference on Availability, Reliability and Security (ARES 2018)
• Workshop "Konstruktion von SafeWare" (KSW18-Workshop)
• The 16th International Conference on Applied Cryptography and Network Security (ACNS 2018)
• 12th Symposium and Summer School On Service-Oriented Computing (SummerSoC 2018)
• GI SICHERHEIT 2018
• 7th International Conference on the Principles of Security and Trust (POST 2018)
• 6th Workshop on Hot Issues in Security Principles and Trust (HotSpot 2018)
• 3rd OAuth Security Workshop (OSW 2018)

• 24th ACM Conference on Computer and Communications Security (ACM CCS 2017)
• The Network and Distributed System Security Symposium 2017 (NDSS 2017)
• IEEE Computer Security Foundations Symposium (CSF 2017)
• The 22nd European Symposium on Research in Computer Security (ESORICS 2017)
• The International Conference for Electronic Voting (E-Vote-ID 2017)
• 2nd Workshop on Advances in Secure Electronic Voting
• 12th International Conference on Availability, Reliability, and Security (ARES 2017)
• 5th Workshop on Hot Issues in Security Principles and Trust (HotSpot 2017)
• 2nd OAuth Security Workshop 2017 (OSW 2017)

• 1st OAuth Security Workshop 2016 (OSW 2016)
• 11th International Conference on Availability, Reliability, and Security (ARES 2016)
• 23rd ACM Conference on Computer and Communications Security (ACM CCS 2016)
• The 21st European Symposium on Research in Computer Security (ESORICS 2016)
• International Joint Conference on Electronic Voting (E-VOTE-ID 2016)
• Grande Region Security and Reliability Day 2016 (GRSRD 2016)
• 4th Workshop on Hot Issues in Security Principles and Trust (HotSpot 2016)

• 22nd ACM Conference on Computer and Communications Security (ACM CCS 2015)
• 10th International Conference on Availability, Reliability, and Security (ARES 2015)
• 8th International Workshop on Analysis of Security APIs (ASA8)
• 28th IEEE Computer Security Foundations Symposium (CSF 2015)
• Grande Region Security and Reliability Day 2015 (GRSRD 2015)
• 4th Conference on Principles of Security and Trust (POST 2015)
• 36th IEEE Symposium on Security and Privacy (S&P 2015)
• The 5th International Conference on e-Voting and Identity (VoteID 2015)

• 21st ACM Conference on Computer and Communications Security (ACM CCS 2014)
• 12th International Conference on Applied Cryptography and Network Security (ACNS'14)
• 9th International Conference on Availability, Reliability, and Security (ARES 2014)
• 7th International Workshop on Analysis of Security APIs (ASA 2014)
• CCSW 2014: The ACM Cloud Computing Security Workshop
• The Third ASE International Conference on Cyber Security (Cyber Security 2014)
• 6th International Conference on Electronic Voting (EVOTE 2014)
• Joint Workshop on Foundations of Computer Security and Formal and Computational Cryptography (FCS-FCC'14)
• 11th International Workshop on Formal Engineering Approaches to Software Components and Architectures (FESCA 2014)
• 11. Jahrestreffen der GI Fachgruppe “Formale Methoden und Software Engineering für Sichere Systeme” (FoMSESS 2014)
• 34th IARCS Annual Conference on Foundations of Software Technology and Theoretical Computer Science (FSTTCS 2014)
• GI Sicherheit 2014
• 44. GI-Jahrestagung / Elektronische Wahlen
• Grande Region Security and Reliability Day 2014 (GRSRD 2014)
• Annual Meeting 2014 of the DFG Priority Programme 1496 "Reliably Secure Software Systems (RS3)"

• 11th International Conference on Applied Cryptography and Network Security (ACNS'13)
• 8th ARES conference (ARES 2013)
• 26th IEEE Computer Security Foundations Symposium (CSF 2013)
• Tutorials - ETAPS 2013
• 18th Estonian Winter School in Computer Science (EWSCS 2013)
• 11th International Workshop on Formal Engineering Approaches to Software Components and Architectures (FESCA 2013)
• 43. GI-Jahrestagung / Elektronische Wahlen: Ich sehe was, das Du nicht siehst – öffentliche und geheime Wahl
• Grande Region Security and Reliability Day 2013 (GRSRD 2013)
• Summer School Marktoberdorf 2013
• Second Conference on Principles of Security and Trust (POST 2013)
• RS3 Tutorial 2013

• 19th ACM Conference on Computer and Communications Security (ACM CCS 2012)
• 10th International Conference on Applied Cryptography and Network Security (ACNS'12)
• 7th ARES conference (ARES 2012)
• 5th International Workshop on Analysis of Security APIs (ASA 6)
• 32nd International Cryptology Conference (CRYPTO 2012)
• 25th IEEE Computer Security Foundations Symposium (CSF 2012)
• ASE/IEEE International Conference on Cyber Security 2012 (Cyber Security 2012)
• FESCA & ETAPS 2012
• Formal and Computational Cryptography (FCC'12)
• GI Sicherheit 2012
• Grande Region Security and Reliability Day 2012 (GRSRD 2012)
• First Conference on Principles of Security and Trust (POST 2012)

• 18th ACM Conference on Computer and Communications Security (ACM CCS 2011)
• CT-RSA 2011 - RSA Cryptographers' Track
• FESCA @ ETAPS 2011
• 2011 Grande Region Security and Reliability Day
• SecCo 2011
• 4th International Workshop on Analysis of Security APIs (ASA 5)
• Dagstuhl Seminar on Security and Rewriting