I Thought He Came With You is Robert Ellison’s blog about software, marketing, politics, photography and time lapse.

Is it safe to open securedoc.html (Cisco Registered Envelope)?

Updated on Tuesday, May 14, 2019

Cisco's insane securedoc HTML attachment

I last got one of these in 2010 and assumed it must have died by now, but no, otherwise sensible organisations are still training their customers to fall victim to phishing attacks by asking them to open dodgy email attachments.

The product in question is Cisco Registered Envelope and it deals with the lack of security in email by sending you an encrypted HTML file. Opening this file sends you off to register on some website and then runs a Java app to decrypt the message. This is insane. The HTML attachment in insane and the Java applet is insane.

The latest email I got in this format was an appointment reminder from UCSF. I'm sure there is some HIPPA requirement that they can't just send medical information in a plain text email. But they could send an email that lets you know you should login to your account to see the appointment. It's not like the securedoc.html method is magic, you still have to create an account on a website to use it so it buys you literally nothing.

UCSF, shame on you. Look after your patients digital health as well as their physical health. Out of self interest if nothing else, nobody can pay you if their bank accounts have been emptied after falling victim to a real phishing attack.

Cisco, shame on you. This product is so wrong headed it's impossible to believe that you're doing anything right.

​(previously)