Hillary Clinton's email system was insecure for two months

Lack of SSL certificate could have exposed emails to eavesdropping attack

Hillary Clinton addresses questions over her use of personal e-mail while secretary of state during a news conference at the UN on March 10, 2015.

Hillary Clinton addresses questions over her use of personal e-mail while secretary of state during a news conference at the UN on March 10, 2015.

The private email system used by Hillary Clinton when she was U.S. Secretary of State didn't encrypt messages during the first two months of use, an Internet security company said on Wednesday.

That would have left emails sent and received by Clinton in early 2009 vulnerable to eavesdropping -- just when British and American intelligence agencies were reportedly spying on world leaders.

Internet records show the clintonemail.com domain was first registered on Jan. 13, 2009. Clinton became Secretary of State eight days later, but it wasn't until March 29 that the first SSL certificate was issued for the domain, according to Venafi, a security company that analyzes encryption keys and digital certificates.

The SSL certificate is necessary to encrypt connections from smartphones and computers accessing the Microsoft IIS server and its Outlook system. Without that security, data would be flowing across the Internet in plain text.

Around that time, British and American spy agencies were reportedly eavesdropping on world leaders. At the G20 summit in April 2009, they set up fake Internet cafes in the hope that government ministers and their staff would connect to Internet hotspots, allowing the agencies to tap unencrypted or poorly encrypted communications.

During her first months in office until the certificate was obtained, Clinton traveled to Japan, Indonesia, South Korea, China, Egypt, Israel, Palestine, Belgium, Switzerland, Turkey and Mexico.

It's possible that Clinton didn't use the email system until the certificate had been obtained, but Kevin Bocek [cq], vice president of security strategy and threat intelligence at Venafi, says he thinks that is unlikely. Due to the timing of the registration of the domain name and her swearing in, Bocek said it appears that the system was prepared for her to use as soon as she took office.

The State Department couldn't immediately confirm the date of the first email sent using the system.

The 2009 SSL certificate was obtained by Justin Cooper, who is presumably the former aide to President Clinton who has the same name. It was valid for four years and has since been renewed with a five year certificate -- a long time for such a certificate.

"Most security professionals wouldn't recommend that," said Bocek. "Google uses three-month certificates."

The certificate used a 2,048-byte key, which is a standard strength, although the server doesn't employ "perfect forward secrecy," said Bocek. That ensures mutliple emails cannot be accessed should a private key be stolen, and is a recommended setting in today's security-conscious environment.

The State Department has said Clinton didn't send or receive any classified information through her private email account. Even department officials don't use their state.gov addresses for classified material, which is sent over a separate network, but that doesn't mean Clinton didn't send or receive what the U.S. government calls "sensitive but unclassified" information.

The arrangement, while it appears unusual, was and is acceptable and legal, according to the State Department. The only obligation Clinton was under was to preserve her emails so they could become part of the government's official record.

She turned over 55,000 printed pages of email to the State Department in response to a request to her and other former secretaries of state several months ago. Of the others, Condoleezza Rice said she never used a personal email account, Madeleine Albright said she did not use email, and Colin Powell said he too used a personal email account, but he didn't take the emails with him when he left office and the account has been closed for a number of years.

Delivering her first remarks on the controversy on Tuesday, Clinton said, "Looking back, it would have been better that I simply used a second email account and carried a second phone, but at the time that didn't seem an issue."

She added that her email server had not been breached in any attacks.

Martyn Williams covers mobile telecoms, Silicon Valley and general technology breaking news for The IDG News Service. Follow Martyn on Twitter at @martyn_williams. Martyn's e-mail address is martyn_williams@idg.com

Join the CSO newsletter!

Error: Please check your email address.

Tags securityVenefi

More about GoogleIDGMicrosoftNewsSwitzerlandVenafi

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Martyn Williams

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place