During the first three months of Hillary Clinton’s tenure as Secretary of State, the private mail server she used for sending emails was unencrypted and unauthenticated using digital certificates, according to a study of her mail domain by security firm Venafi.
That means that during those three months the server – clintonemail.com – would be open to eavesdropping and compromise, the company says. The security issues are troubling because now former Secretary of State Clinton has come under fire for using a private email server to conduct official business. Clinton has defended her private system and said it was secure.
The domain was registered before Clinton was sworn in as Secretary of State Jan. 21, 2009, and the first certificate for it was registered in March 29, 2009, Venafi says, based on data it gathered using its new TrustNet service.
“Clintonemail.com operated for three months without a digital certificate,” Venafi says in an emailed statement. “This means that during the first 3 months of Secretary Clinton’s term in office, web browser, smartphone, and tablet communications would not have been encrypted. Attackers could have eavesdropped on communications. As well, the server would not have been uniquely identified as being clintonemail.com and therefore could have been spoofed – allowing attackers to more easily trick an unsuspecting user of the site to hand over their username and password or other sensitive information.”
Venafi has no proof that Clinton actually used the server during those three months, says Kevin Bocek, vice president of Security Strategy and Threat Intelligence, but says he thinks it’s likely she did, given that during those months Clinton was traveling outside the U.S. and would need email. Clinton says she never used the official State Department email system.
Venafi specifies the certificates and the entities that issued them: mail.clintonemail.com (Network Solutions), sslvpn.clintonemail.com (Network Solutions) and mail.clintonemail.com (GoDaddy). The first was issued in March 29, 2009 and valid terms of the GoDaddy certificate picks up Sept. 13 when the initial one expired. That latest certificate expires Sept. 13, 2018.
The sslvpn.clintonemail.com indicates that a VPN was used as “a mechanism to log in to another server,” Bocek says. That cert was valid from Feb. 4, 2012 to Feb. 4, 2013.
He says the use of GoDaddy indicates the level of maturity of the security scheme used for the mail severs. “Most security professionals I know who are running Fortune 500 or government systems are looking to security vendors that are not GoDaddy,” he says.
Bocek says the server does not run Perfect Forward Secrecy, which protects session keys from being compromised even if the private key they were derived from has been compromised. “A bank or a government would have enabled it,” he says. “It’s not a system that’s fortified. … Usually there’s an entire infrastructure to protect Microsoft Windows Server.”
Bocek says Clinton’s server is a Microsoft Internet Information Server (IIS) 7 running Exchange 2010 and is still active. “At the time of inspection, communications between the server and applications were being authenticated and encrypted,” the company says.
Venafi says it gathered the data about Clinton’s mail server using routine, non-intrusive Internet scanning.