I am currently working as a penetration tester/security consultant at n.runs AG. Before that, I was a member of the Fraunhofer SIT security test lab. Earlier, I have been involved in security research both professionally at Cynops GmbH and independently and have discovered vulnerabilities in Firefox, Opera, Outlook and Office 2007, Adobe Reader as well as in some servers and services, oftentimes related to certificate handling. Below is a list of advisories I have published, you can find more research in the form of slides, papers and presentation recordings in the download section.
Together with Julian “zeri” Wälde, I presented at 28C3 on research we had been doing for some months. We revisited a Usenix Security paper from 2003 called “Denial of Service via Algorithmic Complexity Attacks” and found out that nearly all major web application platforms (PHP, Java, CRuby 1.8, Python, ASP.NET, v8, etc.) were vulnerable to a very effective Denial of Service attack by finding hash collisions for their string hash functions, which turned out to be easy. oCERT advisory #2011-003 and our own have the gory details. The video from the talk may also be instructive. Some patches were done on time and some missed the disclosure deadline by a few days or weeks. We also ruined Microsoft's perfect record for 2011 by forcing them to release MS-11-100, the first (and last) out-of-band security update for 2011. Erik Tews wrote a nice blog post and of course there was some press coverage as well: ars technica, Spiegel Online (in german).
In March 2010, the security test lab team I work in jointly discovered a flaw in the settings manager of Adobe's Flash Player which can lead to a privacy compromise (unnoticed activation of camera and microphone) in a MiTM situation if the user accepts a fake certificate for macromedia.com. For details, see the advisory or the slides from the talk I gave at mrmcd1001b. This vulnerability also generated some press coverage (The H, Heise Germany, FTD.de, Spiegel Online).
In September 2008, I discovered a non-persistent cross-site scripting vulnerability in cacert.org. This wouldn't normally make me write a security advisory, but as this was on the site of a certificate authority, I made an exception. See the advisory for more details.
In January 2008, I accidentally discovered that the parsing of client certificate DNs in Apache-SSL was faulty, leading to the possibility of overwriting parts of the DN and a minor memory disclosure. Details in the advisory.
In January 2008, I discovered that the certificate parsing in Microsoft's CryptoAPI could be used to trigger unwanted HTTP requests. This vulnerability affects Outlook, Windows Live Mail and Office 2007. A proof of concept is available by sending an empty mail to firstname.lastname@example.org or downloading the prepared Word 2007 document. Details are available in a whitepaper. This vulnerability also generated some press (Heise UK, Heise Germany) and was a large part of my EuSecWest 2008 talk on Abusing X.509 certificate features.
In September 2007, I discovered that with the help of SPKAC, Firefox could be used to install a TLS client certificate (more or less) silently. This certificate could then be used to track a user across different websites. This issue was fixed in Firefox 126.96.36.199. It is also present in (Mac OS X) Safari, which is why the proof of concept might still be useful. The vulnerability got covered on Heise UK and Heise Germany.
In July 2007, I accidentally discovered a design bug in Deutsche Post's internet stamping application Stampit Web, which could have lead to an easily executed DoS on their 120.000 customers. The advisory as well as the press articles (Heise UK, Heise Germany, Spiegel Online) provide more details.
I also discovered a stack buffer overflow in dproxy in March 2007. Details are available in the advisory. I also wrote a Metasploit module (dproxy.pm), but I can no longer offer it here due to crazy german laws.