I last got one of these in 2010 and assumed it must have died by now, but no, otherwise sensible organisations are still training their customers to fall victim to phishing attacks by asking them to open dodgy email attachments.
The product in question is Cisco Registered Envelope and it deals with the lack of security in email by sending you an encrypted HTML file. Opening this file sends you off to register on some website and then runs a Java app to decrypt the message. This is insane. The HTML attachment in insane and the Java applet is insane.
The latest email I got in this format was an appointment reminder from UCSF. I'm sure there is some HIPPA requirement that they can't just send medical information in a plain text email. But they could send an email that lets you know you should login to your account to see the appointment. It's not like the securedoc.html method is magic, you still have to create an account on a website to use it so it buys you literally nothing.
UCSF, shame on you. Look after your patients digital health as well as their physical health. Out of self interest if nothing else, nobody can pay you if their bank accounts have been emptied after falling victim to a real phishing attack.
Cisco, shame on you. This product is so wrong headed it's impossible to believe that you're doing anything right.
Thanks for the very sane commentary on an insane practice. Yes, the Registered Envelopes are still around. I received one today. It was apparently in response to an unfavorable review I left of a large insurance company's website after I encountered a number of glitches with it, including their somehow managing to lose an electronic fund transfer I attempted to make. The company already has my phone number and snail mail address, and I also have a login account on their website that is supposed to be secure. They could have easily instructed me to log in to their site directly and display whatever message they had for me there. My email program flagged the message as possibly coming from a forged address, although, according to whois, it appears legitimate. Nevertheless, I do not open unknown email attachments, and I have no intention of jumping through hoops so they can try to get me to retract my comments about their flaky site, if that is what this secure message is about. The email looks so much like a phishing attempt, with a vague subject line, and even contains a form where I am supposed to enter my password to send back to them. It is hard to imagine that anyone in their right mind would consider this a good idea.
I just received one of these today. It seem legitimate, as it came from United Health Care (UHC), with whom I had just completed a telephone conversation. The email had an attachment securedoc_xxxx.html which I was supposed to save locally and open with a browser. I saved it locally and opened it with a text editor (BBEdit). Yikes, it is a long and complicated executable program. My reaction was exactly the same as documented here - why would any reputable organization send executable programs as attachments to customers and expect the customer to run the program on their local system? This is seriously wrong!!!