Clinton's Private Email System Gets a Security "F" Rating

Penguinisto writes According to a scan by Qualys, Hillary Clinton's personal e-mail server, which has lately generated more than a little controversy in US political circles, has earned an "F" rating for security from the security vendor. Problems include SSL2 support, a weak signature, and only having support for older TLS protocols, among numerous other problems. Note that there are allegations that the email server was possibly already hacked in 2013. (Note: Mrs. Clinton plans on Giving a press conference to the public today on the issue.)

Makes sense

[Trailer+Trash]

I mean, the only security they seemed to be interested in was keeping the emails out of the hands of people with subpoenas, FOIA requests and such.

Re:Makes sense

[bill_mcgonigle]

I mean, the only security they seemed to be interested in was keeping the emails out of the hands of people with subpoenas, FOIA requests and such.

Plus, it's in her house, so she gets 4th Amendment protections as well, which is pretty smart.

But Qualsys's SSL scan grade is relevant to a server open to the public. Looking at the generated report, the main problem, in a situation where the client software is highly controllable and very likely hand-configured, is the lack of perfect-forward-secrecy ciphersuites. And that only helps prevent future attacks, not past ones (she's "retired" at the moment).

If somebody wanted to attack this system, attacking TLS would not be the way to do it - the configuration is good enough to make so many other vectors much cheaper attacks. I see the engineer used GoDaddy as the SSL vendor. This doesn't speak well for the budget of the project which has implications for the degree of configuration hardening that was done, which is especially crucial for a Windows machine.

Different rules for the ruling elite

[schwit1]

If you treat federal law the way the secretary of state does, you go to prison.
If you treat IRS rules the way the IRS treats IRS rules, you go to prison
If you treat immigration controls the way our immigration authorities do, you go to prison.
If you’re as careless in your handling of firearms as the ATF is, you go to prison.
If you cook your business’s books the way the federal government cooks its books, you go to prison.

Re:B is the new F?

[Jhon]

Interesting. I've got two tabs open -- both to the same URL. I see the following:

SSL Report: mail.clintonemail.com (64.94.172.146)
Assessed on: Sat Mar 07 15:10:39 PST 2015 | Clear cache
RATING: "F"

SSL Report: mail.clintonemail.com (64.94.172.146)
Assessed on: Tue Mar 10 09:18:02 PDT 2015 | Clear cache
RATING "B"

The difference is Protocol support is zero on the F and notes SSL 2.0 support (automatic "F").

Looks like somebody fixed something between Saturday and today.

Re:The Clintons

[mi]

Did not violate any rules regarding email retention

Yes, she did. It may not have been against the law just yet, but it was certainly against the State Department's own rules already.

The stupid arrangement left communications of the top American diplomat vulnerable — something Russia and other enemies would be happy to exploit on any day, but fine, a President is not supposed to be proficient in communication security.

But we should discard public servants at the first sign of hypocrisy — and that's exactly, what's on display here. And here...

Did what every other Secretary of State did in regards to email.

Citations needed.

Hillary is not a bad choice.

Lovers gonna love.

Perfect, there is surely a backup

[DigitalPagan]

Now there's no excuse. The NSA should definitely have backups of those emails. Crisis averted everyone.

Re:The Clintons

[ScentCone]

Did not violate any rules regarding email retention

I'm curious. What is your agenda that you think lying about the situation will improve it? I mean, we know that's the historically Clintonian way of handling things when they get busted, but do you really think it helps when other people do it too, when the lies are so obviously debunked?

The 2009 National Archives regulation requires federal officials to use each agency's established communication archiving systems to retain secured copies of all communication. This federal requirement was very much in effect when she was Secretary of State. She never made arrangements to have her official communications mirrored onto State's servers, and when she left, SHE DID NOT PROVIDE COPIES. She only provided a pile of hardcopies of cherry-picked email printouts once congress discovered that she'd been holding out in violation of the Archives requirement. She got busted, and so she put employees of her family business to the task of pawing through records kept on an unsecure server in her house to decide, with her review, what to pass along. And what a shocker, there are gaps of weeks and months in the records they turned over. This is plain violation of the letter and spirit of the 2009 regulation.

She went out of her way to avoid keeping public records available while being the second person in line to the presidency, and while roaming the world accomplishing almost nothing as SoS, except for soliciting hundreds of millions of dollars for her family's enterprise from people who are the antithesis of what she weakly proclaims are her main ideological grounds for wanting now to be the president. So even if you still think that makes her a good choice, that doesn't change her deliberate violating of federal regulations - and that doesn't even get into whether or not even ONE email on that system included the receipt or transmission of even one classified item - what do you think are the odds that the Secretary of State, in exchanging email with her counterparts overseas, and with senior officials in the White House (including the president) never addressed even one classified issue?

Re:B is the new F?

[Just+Some+Guy]

The biggest difference is that no one gives a shit about your toy server, but they might have a fuckload of interest in the personal server of a US Senator and Secretary of State. Yes, I believe that State Department is likely to have better security than the random dipshit she seems to have hired who snagged a cheap GoDaddy cert. It's almost certainly going to have better availability, backup, and disaster recovery.

It is absolutely, 100% not acceptable to run state secrets through a personally maintained server that seems to exist only for the legal reason of giving the owner 4th amendment privacy rights. An officeholder acting in official capacity should have zero expectation of privacy from the organizations they work for. I'm "picking on poor ol' Hillary" for having every appearance of attempting to circumvent disclosure laws.

Re:I Disagree

[Just+Some+Guy]

He data also remains under HER control, HER ownership

That's cute, except that it's not her data. That data is owned by the American people via its government, as are all official communications. When you're an officeholder, you don't "own" your official email.

But where is the SECRET-level physical security?

[bfwebster]

I had someone who did SECRET-grade e-mails setup in the military write the following to me:

So, if for example Clinton only dealt with SECRET materials and they were sent or received in her email, all of the equipment (routers, switches, etc.) would have to be rated for that SIPRNet connection. Also, the space in which the equipment and servers and client computers resided in would also have to meet the specifications for SECRET material. This would include various forms of physical access to the space in the form of secure cards, biometrics, etc. No space rated for SECRET opens with a key from the local hardware store. . . .

The biggest issue I see here would be is if the server was connected to the public Internet and it resided in a non-DoD-approved space.

Not sure there are biometrics installed in the Clinton home in Chappaqua. ..bruce..