[MatthiasPfau]

Thanks for clarifying.

> an attacker can keep sending forged messages until it decrypts successfully

There is simply no way for an attacker to find out if his forged messages decrypt successfully besides having full control of the recipients machine. The padding oracle is useless in this case.

[sarciszewski]

"The padding oracle is useless because we don't behave differently if decryption fails" doesn't really inspire confidence.

Why is there so much resistance to implementing authenticated encryption? It would literally take 10 minutes to implement, with constant time MAC verification on the recipient's end. That includes the time to unit test it.

Hell, I could send a pull request right now to do it if your team doesn't have the expertise on board.

Better yet: use Libsodium.

https://paragonie.com/blog/2015/09/how-to-safely-implement-c...

[MatthiasPfau]

> Why is there so much resistance to implementing authenticated encryption?

We already stated that we are going to implement authenticated encryption. But when we do it we have to do it right. We have to keep everything backwards compatible and we can't enable one client to use the new implementation until all supported clients (JS, .NET (Outlook), Android and iOS) are upgraded. Implementing this kind of backward compatibility will not take only 10 minutes.

Please submit a pull request that keeps everything backwards compatible and works for all platforms. We are happy about everyone who wants to contribute.

[sarciszewski]

> Please submit a pull request that keeps everything backwards compatible and works for all platforms.

Secure crypto is never backwards compatible with insecure crypto. If you want to expose your users to downgrade attacks, have fun.