Connect with us

Hi, what are you looking for?


Email Security

Clinton Email Server Vulnerable for 3 Months: Venafi

Access to the personal email server used by former U.S. Secretary of State Hillary Clinton was not encrypted or authenticated by a digital certificate for the first three months of her term, research from security firm Venafi has found.

Access to the personal email server used by former U.S. Secretary of State Hillary Clinton was not encrypted or authenticated by a digital certificate for the first three months of her term, research from security firm Venafi has found.

Clinton’s use of a private email address for work as secretary of state has been the source of controversy recently. During a press conference at the United Nations this week, she said she used the email for “convenience” because she thought it would be easier to carry one device for her work and personal emails instead of two.

Clinton said she gave the State Department about 55,000 pages worth of emails that she sent and received with the private server for review. The remaining emails covered non-work issues such as yoga and wedding plans for her daughter, she said, and were deleted.

Hilary Clinton's Email Server a Security RiskAccording to Venafi, questions have been raised about the security of Clinton’s personal email. Using its TrustNet certificate reputation service, Venafi found that at least three digital certificates were used with since 2009. The certificates were obtained validly and enabled web-based encryption for applications.

“Based on TrustNet analyst, Venafi can conclude was enabled for browser, smartphone, and tablet encryption since 2009 and can operate using encryption through at least 2018,” blogged Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. “However, for the first 3 months of Secretary Clinton’s term, access to the server was not encrypted or authenticated with a digital certificate. During this time, Secretary Clinton travelled to China, Egypt, Israel, South Korea and other locations outside the U.S.”

“Starting in late March 2009, was enabled with a Network Solutions’ digital certificate and encryption for web-based applications like Outlook Web Access. This was 3 months after Secretary Clinton took office,” he continued. “The domain was registered with Network Solutions in January 2009 – 8 days before Secretary Clinton was confirmed by the U.S. Senate. Therefore, from January to end of March 2009 access to did not use encryption.”

Once the digital certificate was installed in March 2009, all access with a desktop web browser, smartphone or tablet was encrypted, even on government networks designed to inspect traffic, he blogged.

“ operated for 3 months without a digital certificate,” Bocek blogged. “This means that during the first 3 months of Secretary Clinton’s term in office, web browser, smartphone, and tablet communications would not have been encrypted. Attackers could have eavesdropped on communications. As well, the server would not have been uniquely identified…and therefore could have been spoofed – allowing attackers to more easily trick an unsuspecting user of the site to hand over their username and password or other sensitive information.”

Advertisement. Scroll to continue reading.

According to a study released today by the Ponemon Institute, the number of keys and certificates deployed on infrastructure such as web servers, network appliances and cloud services jumped more than 34 percent to almost 24,000 per enterprise. Fifty-four percent of the 2,371 IT security professionals surveyed admitted they do not know where all their keys and certificates are located.

“With the rising tide of attacks on keys and certificates, it’s important that enterprises really understand the grave financial consequences,” said Larry Ponemon, founder of the Ponemon Institute, in a statement. “We couldn’t run the world’s digital economy without the system of trust they create. This research is incredibly timely for IT security professionals everywhere – they need a wake-up call like this to realize they can no longer place blind trust in keys and certificates that are increasingly being misused by cybercriminals.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


Enterprise users have been warned that cybercriminals may be trying to phish their credentials by luring them with fake emails that appear to be...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...