Single sign-on (SSO) systems, such as OpenID and OAuth, allow web sites, so-called relying parties (RPs), to delegate user authentication to identity providers (IdPs), such as Facebook or Google. These systems are very popular, as they provide a convenient means for users to log in at RPs and move much of the burden of user authentication from RPs to IdPs. There is, however, a downside to current systems, as they do not respect users’ privacy: IdPs learn at which RP a user logs in. With one exception, namely Mozilla’s BrowserID system (a.k.a. Mozilla Persona), current SSO systems were not even designed with user privacy in mind. Unfortunately, recently discovered attacks, which exploit design flaws of BrowserID, show that BrowserID does not provide user privacy either. In this paper, we therefore propose the first privacy-respecting SSO system for the web, called SPRESSO (for Secure PrivacyREspecting Single Sign-On). The system is easy to use, decentralized, and platform indepen...