-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 While Thunderbird is open, but not being used, just downloading messages in folders in the background (constantly) - Enigmail will pop up the passphrase dialog. I didn't try and open an encrypted mail, I didn't receive an encrypted mail into the folder I had open, my best guess is that TB downloaded an encrypted mail in the background, prompting Enigmail to pop the dialog.
I've enabled debug logging, and there is no indication in the logs about what message triggers the dialog. I've long been suspicious of someone using the Enigmail prompt as a phishing scheme to extract passphrases. So I have a few questions/suggestions: 1) Is this a known bug/behavior? Does anyone know why this might be happening? 2) Would it be possible to have the subject and a unique identifier of the message be written to the logfile to identify which message threw the dialog? 3) Would you consider adding UI to the passphrase dialog? I envision this: (ASCII designed in |-----------------------------------------------------------| | Please type in your OpenPGP passphrase or SmartCard PIN | | ___________________________________________________ | | [__________________________________________________] | | | | [ ] Remember for 15 idle minutes Message Details \/ | |-----------------------------------------------------------| When clicked, Message Details expands the dialog to: |-----------------------------------------------------------| | Please type in your OpenPGP passphrase or SmartCard PIN | | ___________________________________________________ | | [__________________________________________________] | | | | [ ] Remember for 15 idle minutes Message Details /\ | | | | Subject: RE: OH MY GOD Becky, look at her butt. It's... | | Message ID: ljhilfjh124493ylihd8y3@aidjfi54jkldsfds... | | | |-----------------------------------------------------------| This would allow a user to check and see if that message really was received, or intended to be opened. If the dialog was not for a Message, it would just say "Details" and when expanded a phrase like "Your passphrase is needed to sign KeyID XXXXX" or "Your passphrase is needed to generate a revocation certificate." Ultimately the goal is to expose to the user why their passphrase is needed, so if they want, they can reject the dialog because it makes no sense. ("I didn't _try_ to read that message... why is Enigmail prompting me?") - -tom -----BEGIN PGP SIGNATURE----- iQIcBAEBAgAGBQJSNIGbAAoJEPDQHjnnLfY3KNwP/2GfmwIt3vsUMYpEM+rPJuzC emfIGqgJi9M38z1Zvs5ZIQjz+8PEhbD/+vijS/AEsw7m9Xvk3QaMNEwD3QFGto02 IkxBEvuupGxIuJQtrtLs3/w9ZW5m9NiPcMjbxBGnrJ+lt+N26LBb4qIc+pPA7E20 WHZofkmKbricLH0I7LcSxyZAhE6RBHKVQ83Yw4v5wUvdo011H/Qn1KT9C4WWipLB Auc+00rRFZ5dcBb2OHC2nSnTTnXadR/I4a2KN5ZlOKJaUAEE/c06RXJBo+RcsuRX Xgb6EB8P5QQIHl0wWt/mjLwYljjVbkLu4tEPpeQlrR1feBPdHO77G6L++yDHKECr fNdKaTXuIWHjZfMwaCpuBzHZL8uYumGSdwQkoMBCS89qqOZVWQqPo2Z4EEXt+OxT 9Mcr/hYCFhCD9/06M8QAdTPdXvkQIIWQgGb93yCBJ2rjQiqns8NNbUyXlHRdNQZY vofipIwLwCdxkz2FI8h1D1LCerQBEwscxJa3V8TdDAq1ww3w58vUMVzrrrJtLEno 3u7d4VfoIH1aw1qMO0DBZSsUOI9F9tYV/OeG7M0sFgH3OtYx1erb12EGwGF5aiE9 CEBDNJM5mPW95s3lXmpn2/fLL9Sc89nqF2+8oEBXCjnXbQ9SirCzPNpkY17wFv6z Cv51WyYVt0SVrKKSineU =vJHL -----END PGP SIGNATURE----- _______________________________________________ enigmail-users mailing list enigmail-users@enigmail.net https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net