Clinton didn't encrypt emails for three months, security firm finds

Clinton didn't encrypt emails for three months, security firm finds
© Thinkstock

Hillary ClintonHillary Rodham ClintonClinton defends April Ryan, Rep. Maxine Waters in speech Lobbying world Trump puts foreign investors first by supporting the Republican tax plan MORE did not encrypt her private email service with a digital certificate for the first three months of her tenure as secretary of State, according to a security research firm

After scanning Clinton’s domain, clintonemail.com, the security firm Venafi found that from January to March 2009, the domain had no digital certificate issued by an authority, which shows a site is secured.

“This means that during the first three months of Secretary Clinton’s term in office, web browser, smartphone and tablet communications would not have been encrypted,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, in a blog post.

ADVERTISEMENT
According to Clinton’s travel records, she went to China, Egypt, Israel, Japan and South Korea, among other countries, during that time.

“Attackers could have eavesdropped on communications,” Bocek said. “As well, the server would not have been uniquely identified as being clintonemail.com and therefore could have been spoofed — allowing attackers to more easily trick an unsuspecting user of the site to hand over their username and password or other sensitive information.”

Clinton insisted Tuesday that “there were no security breaches” of her email and that the system had “numerous safeguards” in place. There's evidence the system at first relied on self-signed encryption methods.

But not detecting a breach is not the same as not being breached, security experts say.

And the initial approach to encryption ignored accepted guidelines for locking down an email system or website.

Venafi found Clinton did eventually purchase three different digital certificates from two issuing authorities.

“Clintonemail.com was enabled for browser, smartphone and tablet encryption since 2009 and can operate using encryption through at least 2018,” Bocek said.