The private email system used by Hillary Clinton when she was U.S. Secretary of State didn't encrypt messages during the first two months of use, an Internet security company said Wednesday.
That would have left emails sent and received by Clinton in early 2009 vulnerable to eavesdropping -- just when British and American intelligence agencies were reportedly spying on world leaders.
Internet records show the clintonemail.com domain was first registered on Jan. 13, 2009. Clinton became Secretary of State eight days later, but it wasn't until March 29 that the first SSL certificate was issued for the domain, according to Venafi, a security company that analyzes encryption keys and digital certificates.
The SSL certificate is necessary to encrypt connections from smartphones and computers accessing the Microsoft IIS server and its Outlook system. Without that security, data would be flowing across the Internet in plain text.
Around that time, British and American spy agencies were reportedly eavesdropping on world leaders. At the G20 summit in April 2009, they set up fake Internet cafes in the hope that government ministers and their staff would connect to Internet hotspots, allowing the agencies to tap unencrypted or poorly encrypted communications.
During her first months in office until the certificate was obtained, Clinton traveled to Japan, Indonesia, South Korea, China, Egypt, Israel, Palestine, Belgium, Switzerland, Turkey and Mexico.
It's possible that Clinton didn't use the email system until the certificate had been obtained, but Kevin Bocek [cq], vice president of security strategy and threat intelligence at Venafi, says he thinks that is unlikely. Due to the timing of the registration of the domain name and her swearing in, Bocek said it appears that the system was prepared for her to use as soon as she took office.
The State Department couldn't immediately confirm the date of the first email sent using the system.
The 2009 SSL certificate was obtained by Justin Cooper, who is presumably the former aide to President Clinton who has the same name. It was valid for four years and has since been renewed with a five year certificate -- a long time for such a certificate.
"Most security professionals wouldn't recommend that," said Bocek. "Google uses three-month certificates."
The certificate used a 2,048-byte key, which is a standard strength, although the server doesn't employ "perfect forward secrecy," said Bocek. That ensures mutliple emails cannot be accessed should a private key be stolen, and is a recommended setting in today's security-conscious environment.
The State Department has said Clinton didn't send or receive any classified information through her private email account. Even department officials don't use their state.gov addresses for classified material, which is sent over a separate network, but that doesn't mean Clinton didn't send or receive what the U.S. government calls "sensitive but unclassified" information.
Sign up for CIO Asia eNewsletters.