[colmmacc]

Well, almost. AES-GCM is also "Cryptographically Broken" if you take into account software implementations using table lookup schemes that are subject to cache timing attacks. But the fundamental AEAD support in TLS1.2 is a much better place to be overall - and GCM tags are much better than the MAC-then-Encrypt HMACs elsewhere in TLS. For practical purposes; AES-GCM is the "least worst", by a long way.

[cesarb]

For the future, there's also the encrypt-then-MAC extension (https://tools.ietf.org/html/rfc7366, https://bugzilla.mozilla.org/show_bug.cgi?id=972145), and probably some variant of a ChaCha20+Poly1305 AEAD (https://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-0..., https://bugzilla.mozilla.org/show_bug.cgi?id=917571, already on Chrome AFAIK).

For now, AES-GCM is the best alternative.

[edwintorok]

I like the alternative described here: https://www.imperialviolet.org/2014/02/27/tlssymmetriccrypto...

"The end result is that Chrome talking to Google uses AES-GCM if there's hardware support at the client and ChaCha20-Poly1305 otherwise."

It seems to be specific to Chrome though, and all TLS clients would have to reimplement that choice. Would be good if there was a way to tell the SSL library to give you the best cipher that works on your hardware (i.e. don't give AES-GCM/AES-CBC when there is no hardware support and the software implementation isn't constant time).