Which simple mode of encryption is susceptible to the padding-oracle attack and should not be used?

The Cipher Block Chaining (CBC) mode of encryption is particularly susceptible to the padding oracle attack due to its use of padding in the encryption process. In CBC mode, each plaintext block is XORed with the previous ciphertext block before being encrypted. This structure requires padding for plaintexts that are not a multiple of the block size.

The padding oracle attack exploits the way error messages are handled during decryption. An attacker can manipulate the ciphertext in such a way that the decryption process either reports an error or succeeds based on whether the padding is correct. By sending multiple modified ciphertexts and observing the application's responses, the attacker can gradually deduce the plaintext contents. This is because the presence or absence of error messages reveals information about the plaintext, making CBC vulnerable if appropriate precautions are not taken.

In contrast, the other encryption modes listed, such as Output Feedback (OFB), Triple DES, and Counter mode (CTR), do not inherently use padding in the same way as CBC and are not as vulnerable to the padding oracle attack. These modes have different structures and methods for handling data that do not make them susceptible to the same kind of attack based on padding correctness. Therefore, CBC should be avoided in scenarios where such risks are a concern, especially without