-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
While Thunderbird is open, but not being used, just downloading messages in
folders in the background (constantly) - Enigmail will pop up the passphrase
dialog. I didn't try and open an encrypted mail, I didn't receive an
encrypted mail into the folder I had open, my best guess is that TB downloaded
an encrypted mail in the background, prompting Enigmail to pop the dialog.
I've enabled debug logging, and there is no indication in the logs about what
message triggers the dialog. I've long been suspicious of someone using the
Enigmail prompt as a phishing scheme to extract passphrases. So I have a few
questions/suggestions:
1) Is this a known bug/behavior? Does anyone know why this might be happening?
2) Would it be possible to have the subject and a unique identifier of the
message be written to the logfile to identify which message threw the dialog?
3) Would you consider adding UI to the passphrase dialog? I envision this:
(ASCII designed in
|-----------------------------------------------------------|
| Please type in your OpenPGP passphrase or SmartCard PIN |
| ___________________________________________________ |
| [__________________________________________________] |
| |
| [ ] Remember for 15 idle minutes Message Details \/ |
|-----------------------------------------------------------|
When clicked, Message Details expands the dialog to:
|-----------------------------------------------------------|
| Please type in your OpenPGP passphrase or SmartCard PIN |
| ___________________________________________________ |
| [__________________________________________________] |
| |
| [ ] Remember for 15 idle minutes Message Details /\ |
| |
| Subject: RE: OH MY GOD Becky, look at her butt. It's... |
| Message ID: ljhilfjh124493ylihd8y3@aidjfi54jkldsfds... |
| |
|-----------------------------------------------------------|
This would allow a user to check and see if that message really was received,
or intended to be opened. If the dialog was not for a Message, it would just
say "Details" and when expanded a phrase like "Your passphrase is needed to
sign KeyID XXXXX" or "Your passphrase is needed to generate a revocation
certificate." Ultimately the goal is to expose to the user why their
passphrase is needed, so if they want, they can reject the dialog because it
makes no sense. ("I didn't _try_ to read that message... why is Enigmail
prompting me?")
- -tom
-----BEGIN PGP SIGNATURE-----
iQIcBAEBAgAGBQJSNIGbAAoJEPDQHjnnLfY3KNwP/2GfmwIt3vsUMYpEM+rPJuzC
emfIGqgJi9M38z1Zvs5ZIQjz+8PEhbD/+vijS/AEsw7m9Xvk3QaMNEwD3QFGto02
IkxBEvuupGxIuJQtrtLs3/w9ZW5m9NiPcMjbxBGnrJ+lt+N26LBb4qIc+pPA7E20
WHZofkmKbricLH0I7LcSxyZAhE6RBHKVQ83Yw4v5wUvdo011H/Qn1KT9C4WWipLB
Auc+00rRFZ5dcBb2OHC2nSnTTnXadR/I4a2KN5ZlOKJaUAEE/c06RXJBo+RcsuRX
Xgb6EB8P5QQIHl0wWt/mjLwYljjVbkLu4tEPpeQlrR1feBPdHO77G6L++yDHKECr
fNdKaTXuIWHjZfMwaCpuBzHZL8uYumGSdwQkoMBCS89qqOZVWQqPo2Z4EEXt+OxT
9Mcr/hYCFhCD9/06M8QAdTPdXvkQIIWQgGb93yCBJ2rjQiqns8NNbUyXlHRdNQZY
vofipIwLwCdxkz2FI8h1D1LCerQBEwscxJa3V8TdDAq1ww3w58vUMVzrrrJtLEno
3u7d4VfoIH1aw1qMO0DBZSsUOI9F9tYV/OeG7M0sFgH3OtYx1erb12EGwGF5aiE9
CEBDNJM5mPW95s3lXmpn2/fLL9Sc89nqF2+8oEBXCjnXbQ9SirCzPNpkY17wFv6z
Cv51WyYVt0SVrKKSineU
=vJHL
-----END PGP SIGNATURE-----
_______________________________________________
enigmail-users mailing list
enigmail-users@enigmail.net
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
