
Breaking https' AES-GCM - baby
https://www.cryptologie.net/article/361/nonce-disrespecting-adversaries-practical-forgery-attacks-on-gcm-in-tls/
======
jfindley
I've never seen AES-CCM used in practice. As far as I know, no browser
supports it, and neither do most crypto libs - I think OpenSSL is the only one
that does. I've heard many very smart people say bad things about GCM for a
while now, and some have mentioned a preference for CCM - does anyone have any
background on why it's not more widely used?

I use ChaCha20-Poly1305 in several places, which avoids GCM weaknesses, and
while it's far more performant on mobile clients, it does seem to sacrifice a
some amount of performance on current desktops (DJB's mail, posted to HN
earlier, provides some hope that this may change in the future).

