#890 HTTP base auth triggered and displayed

[Thomas L.]

Today I was about to respond to an unecrypted email. When I hit the "respond" button, suddenly a window opened and asked for username and password. This behavior is triggered by Enigmail. It does not happen when Enigmail is disabled. (See attached screenshot). Maybe it is related to https://tools.ietf.org/html/draft-koch-openpgp-webkey-service-06

This should better be fixed, because this way, password phishing attacks are possible.

[Patrick Brunschwig]

That's certainly triggered by WKD requests.

The short term option you have is to disable WKD lookups entirely if you don't want this to happen. WKD Lookup can be disabled via modifying extensions.enigmail.autoWkdLookup from the config editor for this purpose.

[Hanno Böck]

Can I ask what the fix is?
Your comment indicates this is an underlying thunderbird issue and can't be fixed within Enigmail.

[Patrick Brunschwig]

The fix is that I set a dummy user name and password in the XMLHttpRequest. In case the server requests username and/or password, Thunderbird will send the dummy values, which will lead to a (silent) authentication error.