[kaoD]

Well that's a gotcha on AES-CTR too.

GP is asking about mistakes that could happen on AES-GCM that won't happen with AES-CTR+HMAC.

I'm no crypto expert, but I'd say there are more opportunities of messing up with AES-CTR+HMAC like forgetting to MAC the IV.

[tedunangst]

Nonce reuse for CTR gives you the plaintext of those messages. (Well, the XOR of them, from which you can probably figure out the rest.) Nonce reuse for GCM gives up the key.