Skip to main content
banner image
venafi logo

New Data Confirms Venafi Analysis that Secretary Clinton’s Email Server Did Not Use Encryption

New Data Confirms Venafi Analysis that Secretary Clinton’s Email Server Did Not Use Encryption

generic_blog_banner_image
December 10, 2015 | Kevin Bocek
Key Takeaways
  • During the first 3 months of operation, Secretary Clinton’s email server did not use encryption
  • Venafi TrustNet analysis confirmed the lack of encryption, but could not confirm use of the server during that time
  • New publicly-available emails confirm that Secretary Clinton sent and received emails from this server during the time when it did not use encryption

Newly released emails corroborate the forensic analysis conducted by Venafi TrustNet certificate reputation service which concluded that Secretary of State Hillary Clinton did not use encryption on her email server at the beginning of her term.

Earlier this year, Venafi TrustNet, a digital certificate reputation service, identified that the email server operated for Secretary Clinton and mail.clintonemail.com appeared not to use encryption for the first 3 months of operation—leaving her email and server potentially open to hackers. During this vulnerable period without encryption, Secretary Clinton travelled to China, Egypt, Israel, South Korea, and other locations outside of the U.S. This analysis was made possible by using Venafi TrustNet—the first certificate reputation service and a database of certificates going back over 10 years.

Venafi TrustNet identified the first digital certificate issued for the server was on 29 March 2009 while Secretary Clinton was sworn in to office on 22 January 2009 and the clintonemail.com domain was registered on 13 January 2009. If the server did not use encryption, access using browsers, smartphones, and computers could have been compromised with man-in-the middle (MITM) attacks, allowing communications to be monitored. These attacks could have allowed for emails or login credentials to be captured, leading to further long-term access to Secretary Clinton’s email and calendar by adversaries.

More Download the Venafi TrustNet white paper and discover how to identify certificate misuse in real-time

First clintonemail.com digital certificate obtained in 2009 from Network Solutions
First clintonemail.com digital certificate obtained in 2009 from Network Solutions.

But over the past few months, one question continued to linger for the Venafi research team and others in the security community: Did Secretary Clinton actually use the email server during the time a digital certificate was not in use and encryption was not enabled?

With the public release of additional clintonemail.com messages, Venafi now believes it can definitively answer this question: Yes, Secretary Clinton did use the clintonemail.com server to send and receive messages while the server did not have a digital certificate installed and was not using encryption.

Email Server Use Timeline

  • Wednesday, 18 March 2009—the date of the earliest message publicly released that was sent to Secretary Clinton at clintonemail.com. 
  • Saturday, 21 March 2009—the earliest date that publicly-available email messages show the Secretary using the email address, [email protected], to send messages
  • Sunday, 29 March 2009—the date the first digital certificate for mail.clintonemail.com was acquired by Justin Cooper.

The first publicly-known email to be sent by Secretary Clinton using clintonemail.com is on Saturday, 21 March 2009.
The first publicly-known email to be sent by Secretary Clinton using clintonemail.com is on Saturday, 21 March 2009.

Venafi cannot confirm if earlier emails exist or will be made publicly available. Therefore, for at least 11 days, Venafi concludes that while in use the server did not use encryption for access by browsers, smartphones, and computers. The email sent to Secretary Clinton on 18 March is from someone outside of the State Department. This may indicate the email address was in use and known publicly before 18 March. Only public release of further emails by the State Department can confirm this. After 29 March and until the server was taken offline in 2015, the server did operate with a valid digital certificate and did use encryption for browser, smartphone, and computer access.

Venafi also identified that the mail.clintonemail.com server was operating Microsoft’s Outlook Web Access (OWA) in March 2015, meaning that access was possible not just with a smartphone or desktop application like Outlook, but using any web browser. While OWA is installed by default with Microsoft Exchange and the server was hosting the application with Microsoft IIS 7 (released by Microsoft in February 2008), Venafi cannot confirm when web browser access with Outlook Web Access was first enabled.

Outlook Web Access in use and accessible from any browser for mail.clintonemail.com in March 2015 (first date of use cannot be confirmed by Venafi).
Outlook Web Access in use and accessible from any browser for mail.clintonemail.com in March 2015 (first date of use cannot be confirmed by Venafi).

The following digital certificate forensic analysis was documented by Venafi in March 2015 to understand when encryption was used on mail.clintonemail.com. Get the full analysis.

Digital Certificate Forensics Timeline for clintonemail.com

What are your thoughts about Secretary Clinton’s use of her email server before encryption was enabled?

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

CA Agility: What Should Security Leaders Do Next?

Maximizing Your CA Agility: Why This Issue Is So Important Right Now

new Venafi technology network

Venafi Technology Network Changes the Way Machine Identities Are Protected

About the author

Kevin Bocek
Kevin Bocek

Kevin Bocek writes for Venafi's blog and is an expert in machine identity protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat