Clueless Clinton’s Email Server Was Unencrypted For Three Months, Researchers Say

Posted by on Mar 12, 2015 at 9:58 am
Former U.S. Secretary of State Hillary Clinton reacts as she is introduced before speaking at a campaign event for U.S. Senator Kay Hagan in Charlotte

Eh, what difference does it make?

In her first three months in office, Secretary of State Hillary Clintonvisited Japan, Indonesia, Korea, China, Egypt, Israel, Belgium, Switzerland, and Turkey. As she traveled across the world, any work emails sent from her personal email account (which we now know she used to conduct all State business) were sent in plain text without any way to verify the authenticity of her server, according tonew research from Venafi. It wasn’t until the end of March 2009 that a digital certificate was first installed on her email server, leaving the account extremely vulnerable to surveillance and spoofing in the meantime.

The news that Clinton had used a private email account while Secretary of State broke last Sunday, and more details have been trickling out ever since. Reports soon revealed that Clinton was using a private email server,, whose location has been traced to her home outside of New York City. On Tuesday, Clinton gave a press conference to address the situation, her first public comment since tweeting on March 4th:

As the tweet illustrates, the focus in this case has largely centered on transparency, government email policy, and the Freedom of Information Act. Clinton’s first public reaction was to say that she would release the emails to the public, not to address the security concerns around who might have already seen those emails had her personal account been compromised.

In the press conference, Clinton touched on the issue of security, saying that she did not email any classified information and that the account had never been compromised. Unfortunately, there’s no way Clinton (or anyone) can know that for sure. Not even the “most sophisticated security organizations” and Fortune 500 companies are able to make that kind of claim, says Kevin Bocek, Venafi Vice President of Security Strategy and Threat Intelligence. “Even though they believe they aren’t compromised, they often find out that they are.”

Venafi’s research shows that it would have been very easy to compromise the email account, especially during the first three months of Clinton’s tenure as Secretary of State. Without a digital certificate—which verifies that that an account is what it claims to be—her email account could have been spoofed and used to spread malware. Additionally, the lack of encryption means that the account could have been spied on without much difficulty—especially in places like China. “Those three months were really risky times especially given the travel of the secretary,” Bocek explained. “Certainly traveling to China raises a lot of concern.”

Democrats might want to understand that if they nominate this fraud they’ll be spending a lot of sleepless nights wondering when her emails will leak out. Have fun with that.

The concern is not only that the account might have been accessed, but also that it could have been used to harm other highly sensitive accounts. “Critical communication with foreign heads of state are not only at risk but this email account could be used to further infiltrate this governments,” says Patrick Peterson, CEO of Agari. Clinton’s account could have become a “carrier of cyber disease,” adds Tom Kellermann, Chief Cybersecurity Officer at TrendMicro, because attackers could have used the account to spread malware.

In late March 2009, a “Networks Solutions’ digital certificate and encryption for web-based applications” were installed for the first time on the server, according to Venafi’s research. Then days before the first certificate was set to expire in September 2013, the server got a new certificate from GoDaddy that is valid until 2018. While a step in the right direction, these digital certificates are hardly a reason to celebrate. The encryption didn’t mean that the emails themselves were encrypted—just access to the server.

Comments are closed.