[tptacek]

You can read downthread commenters on this post taking away the message that when you select cryptographic building blocks, you need to determine "if you care about" message tampering. Which is, of course, not the message people need to hear.

Another note would be to point out that the limited attack you presented is a lot simpler to understand and execute in CTR mode (and has the benefit also of being more common in practice).

[cybergibbons]

I've added a section on padding oracle attacks towards the bottom.

I don't think there's a significant different in ease of understanding between most of the modes. I used CBC as it's one of the most common and familiar modes, and because it's where I have seen this issue many times. I don't see CTR used in the wild very often.

I also tend to use CBC for other demos as well, so it makes things consistent.

[tptacek]

For the benefit of the thread: the variant of the CBC bitflipping attack that applies to the more common CTR stream cipher mode is: you simply XOR in whatever data you want, directly to the bytes you want to alter, and that's the end of the attack.

[cybergibbons]

Is CTR more common?

[tptacek]

It is much more common. It's also much easier to use.

[wolf550e]

Note that the common AEAD modes, AES-GCM and ChaCha20-Poly1305, are CTR + MAC. The most common style of MAC is Carter Wegman MAC, the second most common is CCM and EAX and the like, after that HMAC. Nothing new uses CBC or CFB or OFB or any of those.