Posted by Tim on Dec 27

All traditional modes that lack integrity protection are vulnerable to
chosen-ciphertext attacks in these kinds of scenarios. CFB isn’t
immune and CTR is catastrophically weak. All traditional modes need a
MAC or similar integrity protection. In light of that, there’s
nothing particularly wrong with using CBC, if it is implemented well.
At least, using it is not *more* wrong than using OFB, CFB, or CTR
without integrity protection….