Venafi: First three months of Clinton private email was unencrypted and unauthenticated

Security firm Venafi says of Hillary's email: Indications are 'it's not a system that's fortified'.

During the first three months of Hillary Clinton's tenure as Secretary of State, the private mail server she used for sending emails was unencrypted and unauthenticated using digital certificates, according to a study of her mail domain by security firm Venafi.

That means that during those three months the server -- -- would be open to eavesdropping and compromise, the company says. The security issues are troubling because now former Secretary of State Clinton has come under fire for using a private email server to conduct official business. Clinton has defended her private system and said it was secure.

The domain was registered before Clinton was sworn in as Secretary of State Jan. 21, 2009, and the first certificate for it was registered in March 29, 2009, Venafi says, based on data it gathered using its new TrustNet service.

" operated for three months without a digital certificate," Venafi says in an emailed statement. "This means that during the first 3 months of Secretary Clinton's term in office, web browser, smartphone, and tablet communications would not have been encrypted. Attackers could have eavesdropped on communications. As well, the server would not have been uniquely identified as being and therefore could have been spoofed -- allowing attackers to more easily trick an unsuspecting user of the site to hand over their username and password or other sensitive information."

Venafi has no proof that Clinton actually used the server during those three months, says Kevin Bocek, vice president of Security Strategy and Threat Intelligence, but says he thinks it's likely she did, given that during those months Clinton was traveling outside the U.S. and would need email. Clinton says she never used the official State Department email system.

Venafi specifies the certificates and the entities that issued them: (Network Solutions), (Network Solutions) and (GoDaddy). The first was issued in March 29, 2009 and valid terms of the GoDaddy certificate picks up Sept. 13 when the initial one expired. That latest certificate expires Sept. 13, 2018.

The indicates that a VPN was used as "a mechanism to log in to another server," Bocek says. That cert was valid from Feb. 4, 2012 to Feb. 4, 2013.

He says the use of GoDaddy indicates the level of maturity of the security scheme used for the mail severs. "Most security professionals I know who are running Fortune 500 or government systems are looking to security vendors that are not GoDaddy," he says.

Bocek says the server does not run Perfect Forward Secrecy, which protects session keys from being compromised even if the private key they were derived from has been compromised. "A bank or a government would have enabled it," he says. "It's not a system that's fortified. ... Usually there's an entire infrastructure to protect Microsoft Windows Server."

Bocek says Clinton's server is a Microsoft Internet Information Server (IIS) 7 running Exchange 2010 and is still active. "At the time of inspection, communications between the server and applications were being authenticated and encrypted," the company says.

Venafi says it gathered the data about Clinton's mail server using routine, non-intrusive Internet scanning.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityvenafi

More about MicrosoftThreat IntelligenceVenafi

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place