The server that Hillary Clinton used to conduct official business as secretary of state lacked one of the most basic and important security features for several months.
The server setup, which consisted of two computers running antivirus programs, lacked a digital certificate to authenticate and encrypt its email communications for the first two months of Clinton’s term, the Washington Post reported on Sunday.
Website operators install digital certificates on their servers to authenticate their sites. The certificates pair with cryptographic keys and allow Web browsers to start secure browsing sessions, which scramble transmitted data in a way that makes it more difficult for third parties to intercept.
When you visit a website whose owner has installed a security certificate, you see a lock icon near your browser’s address bar, and the Web address contains the “https” prefix.
“It’s unlikely foreign governments were not actively monitoring her emails, especially when traveling internationally.”
“This means that any emails she sent and received from her browser while connected to this server were not encrypted and could be easily intercepted,” Doug Beattie, vice president of product management for certificate provider GlobalSign, said in an email. “It’s unlikely foreign governments were not actively monitoring her emails, especially when traveling internationally.”
The Post reported that Clinton used her Blackberry while on foreign trips, including to China, which is notorious for its aggressive monitoring of domestic Internet traffic.
Beattie said that, even though the State Department never cleared Clinton to use her personal Blackberry or private email account for handling classified information, “using a digital certificate from a trusted [certificate authority] would have allowed for secure communications.”
Without a certificate, Beattie added, the server was vulnerable to so-called “man-in-the-middle attacks,” in which hackers insert themselves into the middle of a communications stream to intercept its contents.
Security certificates, issued by certificate authorities like GlobalSign, prevent such attacks by verifying to each party in an online conversation that the other party is authentic.
The revelation that Clinton’s server for some time did not employ a basic security measure comes as the former secretary of state has offered vague responses to questions about encryption and law-enforcement access to encrypted products.
Neither Clinton nor her Democratic rival, Vermont Sen. Bernie Sanders, would say whether they sided with Apple or the Justice Department in a case involving a dead terrorist’s locked iPhone. In that case, the government has demanded that Apple help it unlock the phone by writing special software, but the company is refusing on the grounds that it would set a dangerous precedent undermining encryption in all of its products.
On the broader question of whether tech companies should be required to build so-called “backdoors” in their encryption for law enforcement, Clinton did acknowledge the consensus of security experts that such an approach was technically dangerous, but she did not unequivocally reject the idea.
Clinton’s use of a personal email account, tied to the private server at her family’s New York home, has become one of the most potent scandals dogging her presidential campaign. It prompted questions about whether she was trying to skirt transparency laws, whether her actions had contributed to breaches of national security, and whether she and her aides understood the technical risks of the arrangement.
Clinton has said that she never knowingly sent classified information through the account, but the inspector general for the 17-member U.S. intelligence community determined that several dozen messages contained classified material. The FBI is investigating counterintelligence concerns arising from the unsecured transmission of the material.
The private server also allowed people to remotely access and configure it, a feature that poses a serious security threat if improperly configured.
“For data of this sensitivity,” security consultant Jason Fossen told the Post, “we would need at a minimum a small team to do monitoring and hardening.” Technicians would have to continuously check the server’s logs for signs that hackers had accessed it.