The problem isn't just the code, it's the use of incredibly brittle but eminently fashionable modes like GCM and CTR, and algorithms like ChaCha20 that only work in CTR mode. Older modes like CBC are pretty abuse-resistant, repeat an IV or use an all-zero IV and the whole thing is very lightly less secure while with something like GCM you get a catastrophic failure of security. And if you use CBC+HMAC you typically get key separation as an inherent property of the setup. The solution isn't to gaze into the middle distance and say "well everyone should just use SIV" (which has problems of its own) but to default to safer modes that don't fail catastrophically when used in the straightforward, obvious way.
No comments yet.