Your location: Your IP: Your status:ProtectedUnprotected · To the tests »

Enigmail leaks IP Addresses

Enigmail leaks IP Addresses

If you want to send and receive GnuPG-encrypted emails in Thunderbird, there is no way around the Enigmail encryption plugin. We have recently become aware of a potential problem in Enigmail, whereby the user's IP address is revealed to the recipient of an email. It affects Enigmail 2.0 and later.

As soon as you compose a new email and enter a valid email address in the To: field, Enigmail automatically sends an unsolicited HTTPS request to the recipient's email domain to check whether the public PGP key is available. The same happens if you click on "reply" in an existing mail - so you effectively send a notice of receipt, because the composed email or reply does not need to be sent. The HTTP request happens as soon as a valid address is found in the sender field.

The called URL is formed according to a standardized IETF draft scheme [1]. For example, for the email address, the URL would look like this:<HASH>

For the Enigmail developer this is not a problem, but a desired feature: GnuPG has introduced in version 2.1.16 "Web Key service for Enigmail" [2], [3], which provides this feature.


However, the Enigmail developer points out the possibility to disable this behavior. Go to the Thunderbird settings and navigate via "Advanced" to "Config Editor" and search for "extensions.enigmail.autoWkdLookup". There set the value to 0.

Perfect privacy users protected from IP leak

Whoever uses a VPN such as Perfect Privacy is at least protected from the IP leak, since not his own IP but that of the VPN server is transmitted.

However, the problem with the notice of receipt remains. If you do not want unsolicited packets to be sent to the recipient domain, you should apply the workaround mentioned above.

[1] [2] [3]
This website uses cookies to analyze the traffic and to control our advertising. By using this site, you agree to the use of cookies. More information can be found in our privacy policy.