Hi. I've been looking at a vulnerability in mail clients using pgp, described at efail.de. It is a technique where an attacker would inject a HTML IMG tag in an email, enveloping the encrypted text. This would send the cleartext message to the server inticated in the IMG tag.
To me, it seems that this attack would be defeated by signing the encrypted message, which (to my knowledge) most email clients does by default. Am I missing something here? How do clients generally handle partially signed messages? Would they decrypt an encrypted message, if it would be enveloped in a cleartext IMG tag? Panina, malmö, sweden -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
signature.asc
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
