Slashdot Mirror

← Back to Stories (view on slashdot.org)

Clinton's Private Email System Gets a Security "F" Rating

Posted by timothy on from the expected-to-hold-a-media-availability dept.

Penguinisto writes According to a scan by Qualys, Hillary Clinton's personal e-mail server, which has lately generated more than a little controversy in US political circles, has earned an "F" rating for security from the security vendor. Problems include SSL2 support, a weak signature, and only having support for older TLS protocols, among numerous other problems. Note that there are allegations that the email server was possibly already hacked in 2013. (Note: Mrs. Clinton plans on Giving a press conference to the public today on the issue.)

3 of 315 comments (clear)

  1. Re:Makes sense by bill_mcgonigle · · Score: 5, Informative

    I mean, the only security they seemed to be interested in was keeping the emails out of the hands of people with subpoenas, FOIA requests and such.

    Plus, it's in her house, so she gets 4th Amendment protections as well, which is pretty smart.

    But Qualsys's SSL scan grade is relevant to a server open to the public. Looking at the generated report, the main problem, in a situation where the client software is highly controllable and very likely hand-configured, is the lack of perfect-forward-secrecy ciphersuites. And that only helps prevent future attacks, not past ones (she's "retired" at the moment).

    If somebody wanted to attack this system, attacking TLS would not be the way to do it - the configuration is good enough to make so many other vectors much cheaper attacks. I see the engineer used GoDaddy as the SSL vendor. This doesn't speak well for the budget of the project which has implications for the degree of configuration hardening that was done, which is especially crucial for a Windows machine.

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  2. Re:B is the new F? by Jhon · · Score: 5, Informative

    Interesting. I've got two tabs open -- both to the same URL. I see the following:

    SSL Report: mail.clintonemail.com (64.94.172.146)
    Assessed on: Sat Mar 07 15:10:39 PST 2015 | Clear cache
    RATING: "F"

    SSL Report: mail.clintonemail.com (64.94.172.146)
    Assessed on: Tue Mar 10 09:18:02 PDT 2015 | Clear cache
    RATING "B"

    The difference is Protocol support is zero on the F and notes SSL 2.0 support (automatic "F").

    Looks like somebody fixed something between Saturday and today.

  3. Re:I Disagree by Just+Some+Guy · · Score: 5, Informative

    He data also remains under HER control, HER ownership

    That's cute, except that it's not her data. That data is owned by the American people via its government, as are all official communications. When you're an officeholder, you don't "own" your official email.

    --
    Dewey, what part of this looks like authorities should be involved?