Venafi: First three months of Clinton private email was unencrypted and unauthenticated

Security firm Venafi says of Hillary's email: Indications are 'it's not a system that's fortified'.

During the first three months of Hillary Clinton's tenure as Secretary of State, the private mail server she used for sending emails was unencrypted and unauthenticated using digital certificates, according to a study of her mail domain by security firm Venafi.

That means that during those three months the server -- -- would be open to eavesdropping and compromise, the company says. The security issues are troubling because now former Secretary of State Clinton has come under fire for using a private email server to conduct official business. Clinton has defended her private system and said it was secure.

The domain was registered before Clinton was sworn in as Secretary of State Jan. 21, 2009, and the first certificate for it was registered in March 29, 2009, Venafi says, based on data it gathered using its new TrustNet service.

" operated for three months without a digital certificate," Venafi says in an emailed statement. "This means that during the first 3 months of Secretary Clinton's term in office, web browser, smartphone, and tablet communications would not have been encrypted. Attackers could have eavesdropped on communications. As well, the server would not have been uniquely identified as being and therefore could have been spoofed -- allowing attackers to more easily trick an unsuspecting user of the site to hand over their username and password or other sensitive information."

Venafi has no proof that Clinton actually used the server during those three months, says Kevin Bocek, vice president of Security Strategy and Threat Intelligence, but says he thinks it's likely she did, given that during those months Clinton was traveling outside the U.S. and would need email. Clinton says she never used the official State Department email system.

Venafi specifies the certificates and the entities that issued them: (Network Solutions), (Network Solutions) and (GoDaddy). The first was issued in March 29, 2009 and valid terms of the GoDaddy certificate picks up Sept. 13 when the initial one expired. That latest certificate expires Sept. 13, 2018.

The indicates that a VPN was used as "a mechanism to log in to another server," Bocek says. That cert was valid from Feb. 4, 2012 to Feb. 4, 2013.

He says the use of GoDaddy indicates the level of maturity of the security scheme used for the mail severs. "Most security professionals I know who are running Fortune 500 or government systems are looking to security vendors that are not GoDaddy," he says.

Bocek says the server does not run Perfect Forward Secrecy, which protects session keys from being compromised even if the private key they were derived from has been compromised. "A bank or a government would have enabled it," he says. "It's not a system that's fortified. ... Usually there's an entire infrastructure to protect Microsoft Windows Server."

Bocek says Clinton's server is a Microsoft Internet Information Server (IIS) 7 running Exchange 2010 and is still active. "At the time of inspection, communications between the server and applications were being authenticated and encrypted," the company says.

Venafi says it gathered the data about Clinton's mail server using routine, non-intrusive Internet scanning.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags venafi

More about MicrosoftThreat IntelligenceVenafi

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Tim Greene

Latest Videos

More videos

Blog Posts