- College students burned author’s books after she spoke about white privilege 4 Years Ago
- Texas police officer fatally shoots Black woman in her own home Today 3:44 PM
- Milo Yiannopoulos’ website dangerous.com was sold Today 1:42 PM
- First YouTube comment to hit 1 million likes is on Billie Eilish’s ‘bad guy’ music video Today 12:36 PM
- Girl says she was fired over exposing how Panera makes its mac and cheese on TikTok Today 11:34 AM
- David Harbour teased fans about Hopper’s ‘Stranger Things’ fate on ‘SNL’ Today 10:24 AM
- Kacey Musgraves accused of cultural appropriation–and botching it Today 9:19 AM
- Rihanna defends Vogue writer who received backlash for ‘winging’ interview Today 8:36 AM
- Here are the best PC games to add to your list Today 8:20 AM
- How to stream ‘Power’ season 6, episode 8 Today 6:00 AM
- How to stream Steelers vs. Chargers on Sunday Night Football Saturday 7:20 PM
- Popular TikTok teens accused of pretending to be gay for clout Saturday 6:38 PM
- Scott Walker’s ‘$26 haircut’ dig at Alexandria Ocasio-Cortez backfires Saturday 4:46 PM
- Halle synagogue shooter allegedly posted manifesto on anime message board Saturday 4:06 PM
- How to stream Cowboys vs. Jets in NFL Week 6 Saturday 3:25 PM
Hillary Clinton’s private email server lacked basic security feature for months
Clinton’s campaign has insisted that she did nothing wrong in using the private server.
The server that Hillary Clinton used to conduct official business as secretary of state lacked one of the most basic and important security features for several months.
The server setup, which consisted of two computers running antivirus programs, lacked a digital certificate to authenticate and encrypt its email communications for the first two months of Clinton’s term, the Washington Post reported on Sunday.
Website operators install digital certificates on their servers to authenticate their sites. The certificates pair with cryptographic keys and allow Web browsers to start secure browsing sessions, which scramble transmitted data in a way that makes it more difficult for third parties to intercept.
When you visit a website whose owner has installed a security certificate, you see a lock icon near your browser’s address bar, and the Web address contains the “https” prefix.
“It’s unlikely foreign governments were not actively monitoring her emails, especially when traveling internationally.”
“This means that any emails she sent and received from her browser while connected to this server were not encrypted and could be easily intercepted,” Doug Beattie, vice president of product management for certificate provider GlobalSign, said in an email. “It’s unlikely foreign governments were not actively monitoring her emails, especially when traveling internationally.”
The Post reported that Clinton used her Blackberry while on foreign trips, including to China, which is notorious for its aggressive monitoring of domestic Internet traffic.
Beattie said that, even though the State Department never cleared Clinton to use her personal Blackberry or private email account for handling classified information, “using a digital certificate from a trusted [certificate authority] would have allowed for secure communications.”
Without a certificate, Beattie added, the server was vulnerable to so-called “man-in-the-middle attacks,” in which hackers insert themselves into the middle of a communications stream to intercept its contents.
Security certificates, issued by certificate authorities like GlobalSign, prevent such attacks by verifying to each party in an online conversation that the other party is authentic.
The revelation that Clinton’s server for some time did not employ a basic security measure comes as the former secretary of state has offered vague responses to questions about encryption and law-enforcement access to encrypted products.
Neither Clinton nor her Democratic rival, Vermont Sen. Bernie Sanders, would say whether they sided with Apple or the Justice Department in a case involving a dead terrorist’s locked iPhone. In that case, the government has demanded that Apple help it unlock the phone by writing special software, but the company is refusing on the grounds that it would set a dangerous precedent undermining encryption in all of its products.
On the broader question of whether tech companies should be required to build so-called “backdoors” in their encryption for law enforcement, Clinton did acknowledge the consensus of security experts that such an approach was technically dangerous, but she did not unequivocally reject the idea.
Clinton’s use of a personal email account, tied to the private server at her family’s New York home, has become one of the most potent scandals dogging her presidential campaign. It prompted questions about whether she was trying to skirt transparency laws, whether her actions had contributed to breaches of national security, and whether she and her aides understood the technical risks of the arrangement.
Clinton has said that she never knowingly sent classified information through the account, but the inspector general for the 17-member U.S. intelligence community determined that several dozen messages contained classified material. The FBI is investigating counterintelligence concerns arising from the unsecured transmission of the material.
The private server also allowed people to remotely access and configure it, a feature that poses a serious security threat if improperly configured.
“For data of this sensitivity,” security consultant Jason Fossen told the Post, “we would need at a minimum a small team to do monitoring and hardening.” Technicians would have to continuously check the server’s logs for signs that hackers had accessed it.
Eric Geller is a politics reporter who focuses on cybersecurity, surveillance, encryption, and privacy. A former staff writer at the Daily Dot, Geller joined Politico in June 2016, where he's focused on policymaking at the White House, the Justice Department, the State Department, and the Commerce Department.