[olliej]

His point is that “zip” is an old data packaging format first, encrypted bundle second, many aeons ago the decryption was purely based - think “authenticated” PDFs that were plain text, but the application was meant to ask for a password before displaying the content.

Essentially, if you take an arbitrary “zip” implementation that offers password protection there are reasonably good odds that it isn’t using the “modern” aes based mechanism.

A predictable IV is only really useful if you can induce a target to repeatedly encrypt content using the same secret key, then an attacker can use known source content for some outputs to break the encryption for the unknown cases.

But again this requires a service that isn’t likely to really exist.