| > Why do you think that? Of course we (I am one of the founders of Tutanota) understand the difference of the two. Because you put them on the same line item. https://paragonie.com/blog/2015/08/you-wouldnt-base64-a-pass... > Could you please describe the padding oracle? Knowing the padding algorithm is not enough to make up a padding oracle. The oracle must be able to decrypt the cipher text in order to tell the attacker if the padding is valid or not. For fuck's sake, Google it. The top two search results explain it perfectly. http://robertheaton.com/2013/07/29/padding-oracle-attack https://blog.skullsecurity.org/2013/padding-oracle-attacks-i... TL;DR if you aren't using authenticated encryption, because you're using CBC mode with a block cipher, an attacker can keep sending forged messages until it decrypts successfully. It's much easier to forge messages on zero byte padding than exploit PKCS(5|7), but attackers can still exploit padding errors to tell if their message decrypted. |
> an attacker can keep sending forged messages until it decrypts successfully
There is simply no way for an attacker to find out if his forged messages decrypt successfully besides having full control of the recipients machine. The padding oracle is useless in this case.