I've been looking at a vulnerability in mail clients using pgp, described at 
efail.de. It is a technique where an attacker would inject a HTML IMG tag in an 
email, enveloping the encrypted text. This would send the cleartext message to 
the server inticated in the IMG tag.

To me, it seems that this attack would be defeated by signing the encrypted 
message, which (to my knowledge) most email clients does by default.

Am I missing something here? How do clients generally handle partially signed 
messages? Would they decrypt an encrypted message, if  it would be enveloped in 
a cleartext IMG tag?

Panina, malmö, sweden
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Attachment: signature.asc
Description: PGP signature

Gnupg-users mailing list

Reply via email to