On Tuesday, former United States Secretary of State Hillary Clinton made her first extensive comments addressing her use of a personal email address and private email server while in office, saying that she did not use them to communicate anything confidential but that she wishes she had used a government-issued email address instead. She also sought the “convenience” of a single device.
Venafi, a Salt Lake City computer security firm, has conducted an analysis of clintonemail.com and determined that “for the first three months of Secretary Clinton’s term, access to the server was not encrypted or authenticated with a digital certificate.” In other words: For three months, Clinton’s server lay vulnerable to snooping, hacking, and spoofing.
“Without a certificate you have no assurances that a website you’re attached to or an email server you go to is the one you’re actually going to,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. “There could easily be a ‘man in the middle’ who could easily intercept communications because they’re not being encrypted.”
Without a proper digital certificate to stop them, bad actors can easily wedge themselves between users and the machines they’re attempting to access on a network and, in so doing, collect private information, and possibly even steal credentials such as usernames and passwords. Digital certificates—known more technically as X.509 certificates—are the foundation upon which browsers and servers set up secure and private encrypted channels to communicate. From Jan. 13 to March 29, 2009, clintonemail.com lacked one, Venafi’s analysis reveals.
Clinton’s office did not respond to request for comment by press time.
“Longterm access is probably ultimately the worst consequence here,” Bocek said, raising the possibility that hackers could have obtained Clinton’s compromised credentials and used them to continue accessing her email archive even after a digital certificate was added in late March. The most likely threat though, Bocek added, is spying. “If the Department of State had been eavesdropped on while on diplomatic mission that could have jeopardized a whole variety of activities.”
In fact, during that three month window during which Clinton’s email server apparently lacked encryption, she had traveled abroad. According to a public log provided by the State Department’s office of the historian, Clinton had visited countries and places such as Japan, Indonesia, South Korea, China, Egypt, Israel, the Palestinian Authority, Belgium, Switzerland, Turkey and Mexico.
“In locations where the countries are known to operate and monitor network communications, like China and other countries, that certainly would be a real threat,” Bocek said, mentioning that some parts of the world are “known to have active eavesdropping campaigns.”
“Given the intentions of some countries, there is a real risk of communications being eavesdropped on and credentials being compromised,” he said.
John Kindervag, an analyst at Forrester Research who saw preliminary results from Venafi’s anaylsis, told Fortune that he considered the lack of a certificate protecting clintonemail.com “a pretty significant gap where systems may have been used but been totally unprotected from a security perspective, and therefore that email could have easily been intercepted and read by even the most amateurish attackers.”
“It’s highly unlikely that a person of that importance isn’t being targeted by people who want to gain access to the computational devices in her possession,” Kindervag said. “By the looks of things at first blush,” he added, “it looks like it was a significant disregard for basic security principles and hygiene.”
“You can see from this issue why its important to have digital certificates in use,” said Jeff Hudson, CEO at Venafi. “Man in the middle attacks, spoofing, eavesdropping—it proves the point once again that these things are foundational and when not dealt with correctly all kinds of bad things can happen.”
To conduct the analysis, Venafi researchers used a tool they’re now launching called TrustNet, which scans the internet and historical sources for information about digital certificates and helps assess their risks and reputations. The company has been compiling its own data base for the past year. You can read more information about Venafi’s analysis on the company’s blog.
Watch more business news from Fortune: