Slashdot Mirror

← Back to Stories (view on slashdot.org)

Clinton's Private Email System Gets a Security "F" Rating

Posted by timothy on from the expected-to-hold-a-media-availability dept.

Penguinisto writes According to a scan by Qualys, Hillary Clinton's personal e-mail server, which has lately generated more than a little controversy in US political circles, has earned an "F" rating for security from the security vendor. Problems include SSL2 support, a weak signature, and only having support for older TLS protocols, among numerous other problems. Note that there are allegations that the email server was possibly already hacked in 2013. (Note: Mrs. Clinton plans on Giving a press conference to the public today on the issue.)

18 of 315 comments (clear)

  1. B is the new F? by GAATTC · · Score: 4, Informative

    Funny - I clicked on the link and the rating is a B. No ambiguity about it and not the result of a hasty recent security update (the site was assessed on Sat Mar 07 22:39:37 PST 2015). Where does this headline and summary come from?

    1. Re:B is the new F? by Jhon · · Score: 5, Informative

      Interesting. I've got two tabs open -- both to the same URL. I see the following:

      SSL Report: mail.clintonemail.com (64.94.172.146)
      Assessed on: Sat Mar 07 15:10:39 PST 2015 | Clear cache
      RATING: "F"

      SSL Report: mail.clintonemail.com (64.94.172.146)
      Assessed on: Tue Mar 10 09:18:02 PDT 2015 | Clear cache
      RATING "B"

      The difference is Protocol support is zero on the F and notes SSL 2.0 support (automatic "F").

      Looks like somebody fixed something between Saturday and today.

    2. Re:B is the new F? by celtic_hackr · · Score: 3, Informative

      The rating is an F because it supports SSL2. Yet, they didn't show a single example where it permitted an SSL2 handshake or connection. Every email server supports SSL2. The real question is does it actually permit SSL2 connections. Hell my server "supports" SSL2, but I have it connections disabled in the configuration. This security rating is just a load of political crap. Everyone picking on poor ol' Hillary for using a private server. It must be weak because it's not based at the State Department. Because we all know the best and brightest computer nerds work for the Fed?

      Now given what I see there from this scan, she's using SHA-1 for signatures. Definitely not best practice. I'd rate that server as a C or a D. The server appears to be an IIS server. A hardened Linux server would have been the way to go. Just because it's not a guvmint server doesn't mean it is automatically weak. My server gets attacked all day long and hasn't been hacked. Sure, I'm not a big target either. I once conducted an experiment to see how long it would take for someone to hack my Linux system. So I put one out there, and didn't patch it, did a minimal security setup, like you might get from a Linux Servers for Dummies tutorial (there are plenty out there). It took 4 months for my relatvely unknown server. But that was years ago. I haven't been hacked since, and no that is not an invitation to try. I get DDOSed on a semi-regular basis. Not much I can do about that, other than what I am doing. I haven't got a 1000 servers to offload attacks to.

      In the end, a well configured and maintained server stands as much of a chance of being secure as any server out there, save perhaps the DOD. Bigger is not necessarily better.

  2. Re:Makes sense by bill_mcgonigle · · Score: 5, Informative

    I mean, the only security they seemed to be interested in was keeping the emails out of the hands of people with subpoenas, FOIA requests and such.

    Plus, it's in her house, so she gets 4th Amendment protections as well, which is pretty smart.

    But Qualsys's SSL scan grade is relevant to a server open to the public. Looking at the generated report, the main problem, in a situation where the client software is highly controllable and very likely hand-configured, is the lack of perfect-forward-secrecy ciphersuites. And that only helps prevent future attacks, not past ones (she's "retired" at the moment).

    If somebody wanted to attack this system, attacking TLS would not be the way to do it - the configuration is good enough to make so many other vectors much cheaper attacks. I see the engineer used GoDaddy as the SSL vendor. This doesn't speak well for the budget of the project which has implications for the degree of configuration hardening that was done, which is especially crucial for a Windows machine.

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  3. Re:The Clintons by oh_my_080980980 · · Score: 2, Informative

    Did not violate any rules regarding email retention - rules were created after. Did what every other Secretary of State did in regards to email. Bush was president - so no, Hillary is not a bad choice.

  4. Re:Since when is a "B" grade an "F"? by Jhon · · Score: 3, Informative

    I just checked and it says "F" in a bright red box.

    SSL Report: mail.clintonemail.com (64.94.172.146)

    What IP address did YOU see? Maybe there's more than one server being polled?

  5. Re:Makes sense by arth1 · · Score: 3, Informative

    The Qualsys SSL scan only scans the web server front-end. (Which shouldn't even exist, in my opinion. Use a mail program, not a browser.)

    But this is a mail server too, with its own security implications, and those have not been scrutinized, as far as I can tell.

  6. Re:No Law broken by 93+Escort+Wagon · · Score: 3, Informative

    Mrs. Clinton broke no laws at all. The laws requiring saving of emails by officials were passed after Mr. Clinton left office.

    Nice attempt at obfuscation there. This has nothing to do with when Bill Clinton was President. This is about how Hillary Clinton handled her email while she was Secretary of State under President Obama.

    --
    #DeleteChrome
  7. Re:No Clinton No Bush by Archangel+Michael · · Score: 1, Informative

    It isn't the voting public, it is the very wealthy and well connected power brokers that have anointed these two. The voting public are sheeple, easily manipulated with FUD.

    --
    Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
  8. Re:It's 3am and a phone is ringing in the White Ho by OzPeter · · Score: 1, Informative

    I will be very disappointed if Clinton opponents don't use some version of an ad that highlights this.

    And following that, the Democrats will put up the exact same ad, but featuring Jeb Bush.

    There have been a bunch of Republicans who have admitted to using their own (non-governmental) email systems, two of which were also former secretaries of state:

    Condoleezza Rice
    Colin Powell
    Jeb Bush
    Bobby Jindal
    Rick Perry
    Sarah Palin

    And that' most likely not all of them. But don't take this as GOP bashing, I'm pretty sure that this sort of thing is rampant on both sides of the aisle. But once one side lifts the veil on it, the other side will respond in kind.

    --
    I am Slashdot. Are you Slashdot as well?
  9. Re:No Clinton No Bush by khallow · · Score: 4, Informative

    Nonsense. LBJ, despite getting mired in the Vietnam War, had many effective strengths as a politician. I believe here, Jeb Bush is referring to LBJ's ability to get bipartisan support for his legislation. While I don't have a problem with politicians who can "work across the aisle", I find this suspiciously like George W. Bush, who said much the same thing and then abandoned bipartisanship for a significant part of his tenure.

    In comparison, I find Hillary Clinton's casual and persistent corruption and selective rule breaking to be a worse thing than Jeb Bush's choice of role models. Still I wouldn't be broken up, if neither ever was ever elected president.

  10. Re:The Clintons by halivar · · Score: 4, Informative

    I'd say leaving office apparently broke and then making shitloads-times-fuckloads of money later, is a sign of a successful president.

    Well, then President Clinton neatly skirts any accusation of being successful by that metric: http://www.washingtonpost.com/...

    They left office not just with millions, but also with the White House dinnerware: http://abcnews.go.com/Politics...

  11. Re:The Clintons by celtic_hackr · · Score: 3, Informative

    Yet cited email as a tertiary reason for firing the African ambassador.

    Installing a private Internet connection in your Dept. Of State office bathroom, in order to bypass the government link is a far cry from running a mail server out of your home.

    There's a massive difference in setting up a server you own and are the only one to have 24/7 unfettered access vs using a free email provider.

    That's for sure! We've all seen how secure Yahoo, AOL and Google email accounts are. That is not to say running a private email server is a walk in the park. Just because someone uses a free email provider doesn't mean they'll have a more secure server.

    So you are aware there was a memo put out by Pres O. 24 August 2012 concerning use of private email for state business.

    You do realize she'd set this server up in 2009 and left in Feb 2013? So she continued to use her own server her last five months, rather than do a disruptive move to the State server, when she already knew she was leaving in a few months. Your point?

  12. Re:I Disagree by Anonymous Coward · · Score: 3, Informative

    He[r] data also remains under HER control, HER ownership, and if any of you idiots think your "cloud" data is safe, it just proves how inept you are.

    You are right but not for the reasons you believe. By owning the server she controls who can get the emails, and that includes from government investigators. When they review the emails she turns over, what proof is there that any problematic emails were not first erased? If it was in a "cloud" system, including a government system, then she would have lost the ability to sanitize the email trove before investigators get access. Regarding your calling people idiots who think differently than you and for trusting cloud systems, I guess it depends on against whom you are trying to protect the data.

  13. Re:Makes sense by sumdumass · · Score: 4, Informative

    http://www.politico.com/story/...

    Actually, that IRS the dog ate my email somewhat failed.

    It turns out that asking IT to look for backups of the email is more productive than looking for it personally. Its just a matter of time needed to sort through it if anyone in government is still interested.

  14. Re:I Disagree by Just+Some+Guy · · Score: 5, Informative

    He data also remains under HER control, HER ownership

    That's cute, except that it's not her data. That data is owned by the American people via its government, as are all official communications. When you're an officeholder, you don't "own" your official email.

    --
    Dewey, what part of this looks like authorities should be involved?
  15. Re: The Clintons by acoustix · · Score: 3, Informative

    hilary isnt the second in line. the vice president is. :/

    The VP is first in line. :/

    But then it goes to the speaker of the house, president pro tempore and then secretary of state.

    --
    "A plan fiendishly clever in its intricacies"- Homer Simpson
  16. Re:Let's try something else by YrWrstNtmr · · Score: 3, Informative

    " in or next to the Big Chair."

    SecState counts as "next to"