Venafi TrustNet is the world’s first enterprise certificate reputation service. TrustNet can identify certificate misuse, perform forensic analysis, and predict vulnerabilities that need to be fixed to protect the Global 5000 and governments. To achieve this, TrustNet has acquired, maintains, and is continuously adding to the world’s largest database of digital certificates and associated metadata. TrustNet is able to go back in time and identify how digital certificates were used in the past, providing a new type of forensics capability to the IT security community.
Digital certificates and their corresponding cryptographic keys are incredibly powerful. They solved the biggest barriers to using the Internet: how do I know that a website is what it says it is and that communications with the site are private? But this is also why certificates are so interesting to bad guys for misuse. It’s also why cybersecurity experts, like Intel, predict stolen certificates will be the next big hacker marketplace. With this increasing misuse by attackers, how do we keep certificates safe? Venafi protects the trust established by keys and certificates for the Global 5000 and governments.
In the past week, there have been questions about the level of security, use, and configuration of former Secretary of State Hillary Clinton’s personal email server. Specifically, there have been concerns that the server may have been vulnerable to eavesdropping and compromise. TrustNet found that at least 3 digital certificates were used with clintonemail.com since 2009. Operators of clintonemail.com obtained these certificates so the site could be uniquely distinguished (another clintonemail.com would not show as being secured without the certificate) and the site would use strong encryption to keep data transmissions private. These certificates were obtained validly and enabled web-based encryption for applications. Based on TrustNet analyst, Venafi can conclude clintonemail.com was enabled for browser, smartphone, and tablet encryption since 2009 and can operate using encryption through at least 2018. However, for the first 3 months of Secretary Clinton’s term, access to the server was not encrypted or authenticated with a digital certificate. During this time, Secretary Clinton travelled to China, Egypt, Israel, South Korea and other locations outside of the U.S.
Note: All data in this report was obtained by non-intrusive Internet scanning routinely performed throughout the IT security community to protect the safety and health of the Internet.
January – March 2009
No certificates found – no encryption enabled
mail.clintonemail.com Issued by: Network Solutions Valid to: September 2013 Download certificate file
sslvpn.clintonemail.com Issued by: Network Solutions Valid to: February 2013 Download certificate file
mail.clintonemail.com Issued by: GoDaddy Valid to: September 2018 Download certificate file
Starting in late March 2009, mail.clintonemail.com was enabled with a Network Solutions’ digital certificate and encryption for web-based applications like Outlook Web Access. This was 3 months after Secretary Clinton took office. The clintonemail.com domain was registered with Network Solutions in January 2009 – 8 days before Secretary Clinton was confirmed by the U.S. Senate. Therefore, from January to end of March 2009 access to clintonemail.com did not use encryption.
Once the digital certificate was installed in March 2009, all access with a desktop web browser, smartphone, or table was encrypted, even on government networks designed to inspect traffic. However, this doesn’t mean that email sent to/from the account would be encrypted – just accessing the server.
The first certificate obtained for clintonemail.com was set to expire on 15 September 2013. It was replaced a few days before this expiration with a new certificate from GoDaddy set to expire in 2018. This is the certificate that remains running on the server in March 2015. Microsoft Outlook Web Access and Microsoft IIS were confirmed by Venafi to be running on the server. At the time of inspection, communications between the server and applications were being authenticated and encrypted.
As reported elsewhere, the server also appears to have run an SSL VPN – an authenticated and encrypted tunnel through which other web pages on other servers could be accessed. TrustNet found the sslvpn.clintonemail.com certificate. It was issued in 2012 and expired in 2013. Venafi could not confirm the continued operation of an SSL VPN or the sites to which it may have gated access.
Online banking, shopping, and confidential government communications wouldn’t be possible without the trust established by digital certificates. Hundreds of billions of dollars in trade around the world also depends on it, as does the future of secure communications and computing. From airplanes to cars to our smartphones, all of these technologies are dependent on the trust digital certificates and their associated cryptographic keys provide. And, they are being used more and more every day. It’s also why bad guys are ferociously going after them. Threat research from FireEye, Intel, Kaspersky, and Mandiant consistently identifies the misuse of keys and certificates as an important part of APT and cybercriminal operations. And Gartner expects by 2017 that 50% of network attacks will be using SSL/TLS.
Clintonemail.com operated for 3 months without a digital certificate. This means that during the first 3 months of Secretary Clinton’s term in office, web browser, smartphone, and tablet communications would not have been encrypted. Attackers could have eavesdropped on communications. As well, the server would not have been uniquely identified as being clintonemail.com and therefore could have been spoofed – allowing attackers to more easily trick an unsuspecting user of the site to hand over their username and password or other sensitive information.
Obtaining the cryptographic key and digital certificate for clintonemail.com would be an important step for attackers seeking to compromise Secretary of State Clinton or others that might access the server. With them, bad guys could masquerade as the legitimate site or decrypt what was thought to be private communications. As a standalone Microsoft Windows Server, the site is very vulnerable. In 2013, over 800 trojans were known to steal keys and certificates – and that number has swelled since then. The use of digital certificates on clintonemail.com provides users with the confidence that they are connecting to the real site and communications cannot be inspected. But when on government networks, anyone accessing the site and depending on the certificate needs to be highly suspicious. The site has received tremendous attention and its contents and certificate are likely targets for compromise and misuse.
Venafi will continue to observe this situation and provide updates if new information becomes available. Venafi TrustNet operates 24x7 to secure and protect Venafi customers, is constantly monitoring the status of certificates around the world, and provides real-time updates to subscribers. Organizations interested in learning how TrustNet can help can contact Venafi for more information.
I want to offer a special thank you to Hari Nair, Gavin Hill, and the Venafi TrustNet product team who contributed to this research and analysis.