Vulnerabilities found

I have discovered the following notable vulnerabilities (sometimes in teams with others):

• 16 years of CVE-2008-0166 - Debian OpenSSL Bug - Breaking DKIM and BIMI in 2024
• Bypassing HTTP Strict Transport Security (HSTS) in common configurations with Firefox (CVE-2024-0753)
• STARTTLS weaknesses (2021) in e-mail servers and clients.
• Nonce-Disrespecting Adversaries (2016) - an attack on AES-GCM implementation flaws in TLS
• ROBOT (2017) - Return of Bleichenbacher's Oracle Threat - vulnerability breaking RSA encryption due to TLS implementation flaws.

Other noteworthy achievements:

• I convinced the certificate authority Symantec to revoke a certificate based on a fake private key.
• I built Gentoo Linux with Address Sanitizer, finding countless memory safety bugs in many core Open Source software packages.
• 2018 Pwnie Award for Best Cryptographic Attack.

I am developing the following Open Source security tools:

• badkeys - detecting cryptographic public keys with known vulnerabilities.
• snallygaster - finding file leaks on websites.
• freewvs - scans web roots for known vulnerable web applications.