Today, your reasonable choices for block cipher modes are CTR and CBC.
And: (If you have a library that does any of the "authenticated modes" like CCM, OCB, GCM, or EAX, your reasonable choices are those 4 constructions, all of which are based on CTR mode.)
But your comment gave me hives, because CTR mode is in its most simple application (no parallel, no precomputation, no seeking, no lossiness) already easy to spectacularly fuck up, and some of the things you pointed out as benefits of CTR come with additional pitfalls.
Finally, what is a "default" in a standard is different from a "default" as provided by a library. ECB is the "default" because (a) it usually is the default, and (b) it requires the least amount of configuration. In 2011, it is still sadly common to see trivially breakable ECB in new apps, and that's because crypto libraries are structured in ways that make ECB the de facto default.
Today, your reasonable choices for block cipher modes are CTR and CBC.
And: (If you have a library that does any of the "authenticated modes" like CCM, OCB, GCM, or EAX, your reasonable choices are those 4 constructions, all of which are based on CTR mode.)
But your comment gave me hives, because CTR mode is in its most simple application (no parallel, no precomputation, no seeking, no lossiness) already easy to spectacularly fuck up, and some of the things you pointed out as benefits of CTR come with additional pitfalls.
Finally, what is a "default" in a standard is different from a "default" as provided by a library. ECB is the "default" because (a) it usually is the default, and (b) it requires the least amount of configuration. In 2011, it is still sadly common to see trivially breakable ECB in new apps, and that's because crypto libraries are structured in ways that make ECB the de facto default.