[catlifeonmars]

> In contrast decrypting data an adversary sent to you might reveal something, especially if you can be persuaded (as happened for HTTPS with older TLS versions and most popular implementations) to tell the adversary what happened when you tried so this will usually be dangerous and a rationale for why it's safe must be thorough if we want non-experts to do it.

What exactly happened for HTTPS with older TLS versions? Sounds like you’re alluding to some sort of oracle attack.

[tialaramex]

A sort of oracle, yes. I believe there's a vulnerability with servers that are willing to attempt RSA kex (which no longer exists in TLS 1.3 and has been a bad idea for many years), where you can (at least in principle) arrange for them to do an operation which either reveals some bits of their private RSA key (extremely bad) or is equivalent to RSA signing a message of your choosing. RSA kex involves the server attempting to RSA decrypt messages chosen by an adversary.

It's fuzzy, perhaps somebody will remind me of the specifics.