The private email system used by Hillary Clinton when she was U.S. Secretary of State didn’t encrypt messages during the first two months of use, an Internet security company said Wednesday.
That would have left emails sent and received by Clinton in early 2009 vulnerable to eavesdropping—just when British and American intelligence agencies were reportedly spying on world leaders.
Internet records show the clintonemail.com domain was first registered on Jan. 13, 2009. Clinton became Secretary of State eight days later, but it wasn’t until March 29 that the first SSL certificate was issued for the domain, according to Venafi, a security company that analyzes encryption keys and digital certificates.
The SSL certificate is necessary to encrypt connections from smartphones and computers accessing the Microsoft IIS server and its Outlook system. Without that security, data would be flowing across the Internet in plain text.
Around that time, British and American spy agencies were reportedly eavesdropping on world leaders. At the G20 summit in April 2009, they set up fake Internet cafes in the hope that government ministers and their staff would connect to Internet hotspots, allowing the agencies to tap unencrypted or poorly encrypted communications.
During her first months in office until the certificate was obtained, Clinton traveled to Japan, Indonesia, South Korea, China, Egypt, Israel, Palestine, Belgium, Switzerland, Turkey and Mexico.
It’s possible that Clinton didn’t use the email system until the certificate had been obtained, but Kevin Bocek [cq], vice president of security strategy and threat intelligence at Venafi, says he thinks that is unlikely. Due to the timing of the registration of the domain name and her swearing in, Bocek said it appears that the system was prepared for her to use as soon as she took office.
The State Department couldn’t immediately confirm the date of the first email sent using the system.
The 2009 SSL certificate was obtained by Justin Cooper, who is presumably the former aide to President Clinton who has the same name. It was valid for four years and has since been renewed with a five year certificate—a long time for such a certificate.
“Most security professionals wouldn’t recommend that,” said Bocek. “Google uses three-month certificates.”
The certificate used a 2,048-byte key, which is a standard strength, although the server doesn’t employ “perfect forward secrecy,” said Bocek. That ensures mutliple emails cannot be accessed should a private key be stolen, and is a recommended setting in today’s security-conscious environment.
The State Department has said Clinton didn’t send or receive any classified information through her private email account. Even department officials don’t use their state.gov addresses for classified material, which is sent over a separate network, but that doesn’t mean Clinton didn’t send or receive what the U.S. government calls “sensitive but unclassified” information.
The arrangement, while it appears unusual, was and is acceptable and legal, according to the State Department. The only obligation Clinton was under was to preserve her emails so they could become part of the government’s official record.
She turned over 55,000 printed pages of email to the State Department in response to a request to her and other former secretaries of state several months ago. Of the others, Condoleezza Rice said she never used a personal email account, Madeleine Albright said she did not use email, and Colin Powell said he too used a personal email account, but he didn’t take the emails with him when he left office and the account has been closed for a number of years.
Delivering her first remarks on the controversy on Tuesday, Clinton said, “Looking back, it would have been better that I simply used a second email account and carried a second phone, but at the time that didn’t seem an issue.”
She added that her email server had not been breached in any attacks.