[earthrise]

I usually consider this a "vulnerability" in the sense that the author probably intended to use AES and so they may have misunderstood the mcrypt API. Most importantly, they might have wanted AES-256 and missed the fact that mcrypt selects the key size based on the size of key you give it.

That does not appear to be the case this time, however, since the page acknowledges (in an update) "256 bit block" and the fact that it isn't AES. So I should probably make note of that in the CryptoFails post.

I'm unsure how well the analysis of AES (and the attacks against it) carry over to Rijndael-256, so I'd be hesitant to actually recommend it without asking a cryptographer... but, like you, I'd be very surprised if it was a source of vulnerability itself.

[tptacek]

I wouldn't actively recommend it. I would worry if someone was using Rijndael-128/256 to make a hash function. But apart from that: the gain in reduced malleability probably offsets any reduced security margin; in other words, using a larger block makes the realistic attacks somewhat harder.

There are probably zero crypto implementations that that contain the string "AES" that use Rijndael-X/256 that aren't broken in some other comical way.