Noted. And, yeah, that sucks... a lot. However, my habit of always composing plain-text messages and exclusively using attached signatures seems to have inadvertently shielded me from those issues. :) It has been more than a year since that article; I wonder if those bugs have been cleaned up.
This[0] seems to indicate that the only email client that has real problems with attached signatures is Outlook Express. I can't bring myself to care much about Outlook Express users. (Is OE even installed on Windows 7 and later?)
That issue has been in the Thunderbird/Enigmail Rube Goldberg setup forever, and publicly discussed since at least 2006. Always, the response is, Don’t use Enigmail with HTML email. At this point, it would be bigger news if they manage to fix it, so I expect to be informed if it happens.
The bigger problems are that it’s not integrated and it’s not effective for shielding metadata. With difficulty and being mindful of the sharp edges, you can use OpenPGP on desktop. You need a clunky third-party email client to get it on mobile. Best case scenario, you send lots of extra data that gets ignored. Worst case, all those attached signatures get downloaded as files, causing confusion and anger. And there’s no interoperability with S/MIME, which actually is supported by most proprietary email clients.
OpenPGP does not protect metadata. It piggybacks on SMTP, which publishes the sender, recipient, and subject line in the clear, along with the identity and timing of each server in the transport path from when you send the email to when it lands in your recipient’s mailbox. PGP was originally conceived as the “envelope” to protect your message contents, but in this era of unlimited surveillance we need to do better.
If we're concerned about metadata and timing analysis, we could use something like a Mixmaster, along with TLS-only connections between email servers and between the server and its clients. This would essentially be Tor for SMTP, with the recipient's email server as the "exit node".
"Why aren't we doing this now?" Probably for the same reasons that we're going back to the 1990's world of Instant Messaging walled gardens; techies and cypherpunks are winning some battles but not most of them, and non-technical users don't understand what they give up when they choose a centralized Web and ISPs that make them incapable of acting as a peer on The Internet. [0]
To the rest of your comment:
To the best of my knowledge, I've never had Enigmail or Thunderbird mangle my PGP signatures. I participate in a few technical mailing lists; the folks there absolutely would tell me if my signatures were getting fucked up. For mail that doesn't go to these lists, I can double-check the message copied to my sent mail folder. :)
Installation of Enigmail on Windows, Linux and -I presume- Mac is trivial. Based on reports, the sharp edges that you speak of appear to be there; send only plaintext email and attach -rather than inline- your signature and you will -in my experience- avoid all of them.
The world of mobile software is largely a cesspool. Maybe I'm ignorant, but it seems like the only folks doing good privacy protection mobile software are Open Whisper Systems, the Tor Foundation (by way of Orbot), and Whatsapp. (The Whatsapp folks are in this list because of the work that Open Whisper Systems did to integrate TextSecure's near-zero-effort crypto into Whatsapp's software.)
[0] Yes, I totally understand that almost no one in the US has a real choice in ISP. Even here in Silicon Valley, I find myself prevented at every turn from giving my money to local, independent ISPs. There's a little comfort in the fact that Comcast allocates and routes up to a /60, and performs very, very little inbound filtering.
