I Thought He Came With You is Robert Ellison’s blog about software, marketing, politics, photography, time lapse and the occasional well deserved rant. Follow along with a monthly email, RSS or on Facebook. About 7,250,102,773 people have not visited yet so it might be your first time here. Suggested reading: Got It, or roll the dice.

Cisco's insane securedoc HTML attachment

Cisco's insane securedoc HTML attachment

I last got one of these in 2010 and assumed it must have died by now, but no, otherwise sensible organisations are still training their customers to fall victim to phishing attacks by asking them to open dodgy email attachments.

The product in question is Cisco Registered Envelope and it deals with the lack of security in email by sending you an encrypted HTML file. Opening this file sends you off to register on some website and then runs a Java app to decrypt the message. This is insane. The HTML attachment in insane and the Java applet is insane.

The latest email I got in this format was an appointment reminder from UCSF. I'm sure there is some HIPPA requirement that they can't just send medical information in a plain text email. But they could send an email that lets you know you should login to your account to see the appointment. It's not like the securedoc.html method is magic, you still have to create an account on a website to use it so it buys you literally nothing.

UCSF, shame on you. Look after your patients digital health as well as their physical health. Out of self interest if nothing else, nobody can pay you if their bank accounts have been emptied after falling victim to a real phishing attack.

Cisco, shame on you. This product is so wrong headed it's impossible to believe that you're doing anything right.

​(previously)

Comments

Debbie

Thanks for the very sane commentary on an insane practice. Yes, the Registered Envelopes are still around. I received one today. It was apparently in response to an unfavorable review I left of a large insurance company's website after I encountered a number of glitches with it, including their somehow managing to lose an electronic fund transfer I attempted to make. The company already has my phone number and snail mail address, and I also have a login account on their website that is supposed to be secure. They could have easily instructed me to log in to their site directly and display whatever message they had for me there. My email program flagged the message as possibly coming from a forged address, although, according to whois, it appears legitimate. Nevertheless, I do not open unknown email attachments, and I have no intention of jumping through hoops so they can try to get me to retract my comments about their flaky site, if that is what this secure message is about. The email looks so much like a phishing attempt, with a vague subject line, and even contains a form where I am supposed to enter my password to send back to them. It is hard to imagine that anyone in their right mind would consider this a good idea.

Add Comment

All comments are moderated to weed out spam. Email address is optional and is only used to display your Gravatar.