We are searching for Java developers for our TLS-Attacker project.

We worked on two papers that are going to be presented at the USENIX Security 2021 conference this week.

We published a new attack called ALPACA. ALPACA is an application layer protocol content confusion attack, exploiting TLS servers implementing different protocols but using compatible certificates, such as multi-domain or wildcard certificates. Attackers can redirect traffic from one subdomain to another, resulting in a valid TLS session. This breaks the authentication of TLS and cross-protocol attacks may be possible where the behavior of one…

In cooperation with /upb/hack, we organize an IT Security "Stammtisch". The topics in the first months include Content Security Policy, OpenID Connect, and PDF security.

We are searching for motivated students, who would like to work on CTF challenges and further maintain or develop the CTF platform developed by the students of UPB.

I gave a presentation about IT security at "Infotage für Schüler*innen".

If you like attacks with logos, you should definitely check out our newest attack :)

In our work, we analyzed how to prevent our Efail attacks and make OpenPGP and S/MIME secure again.

We have open positions in the area of IT security. For more information, see our job offers.

In our work, we analyze DTLS implementations using state learning methods and uncover several nice bugs in widely used libraries. For example, we found  a client-authentication bypass in JSSE (CVE-2020-2655), the default (D)TLS stack used in Java. You can read the preliminary paper version here: https://www.usenix.org/conference/usenixsecurity20/presentation/fiterau-brostean Or, you can already watch a talk presented by Robert Merget at…

Juraj Somorovsky explains his research area, talks about why he came to Paderborn, and which hobbies he is impressed by.