As the news surrounding former Secretary of State Hillary Clinton and her use of a private email server continues to swirl, security specialist Venafi offered its take on the situation.
Venafi’s analysis is being accompanied by the 2015 Cost of Failed Trust Report, which provides broader insight into the state of Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate use on the modern Internet.
To properly secure data transfer on the Internet, cryptography is used, typically in the form of SSL/TLS certificates. Venafi has a new service, called TrustNet, which was used to conduct the analysis on the “clintonemail.com” domain used by the former Secretary of State. TrustNet looks at how digital certificates are used in an effort to help track them and prevent potential misuse.
Venafi TrustNet acquires certificates and metadata from Internet scanning as well as public domain historical archives, according to Kevin Bocek, vice president of security strategy and threat intelligence at Venafi.
The Venafi scanning effort discovered that “clintonemail.com” did, in fact, have SSL/TLS certificates in place on the site. The analysis found three different certificates were issued since 2009, with one issued by Network Solutions for “mail.clintonemail.com” in March 2009 that expired in September 2013.
There is another certificate for “mail.clintonemail.com” that was issued by GoDaddy in September 2013 that is valid until September 2018. Additionally, a certificate was issued in February 2012 by Network Solutions for the “sslvpn.clintonemail.com” domain that is valid until February 2013.
“The 2009-issued ‘mail.clintonemail.com’ and 2012-issued ‘sslvpn.clintonemail.com’ certificates were found in the historical archives,” Bocek told eWEEK. “The TrustNet scanning engine acquired the current 2013-issued ‘mail.clintonemail.com’ certificates.”
Venafi’s analysis shows the certificates to all be domain-validated, as opposed to the more rigorously audited Extended Validation (EV-SSL) certificates that can also be used to secure servers.
Looking at the underlying technology for the server, Bocek said that Clintonemail.com is running Microsoft’s Internet Information Server (IIS) 7 Web server for Web services. The server is not leveraging Perfect Forward Secrecy (PFS), which is an SSL/TLS server deployment option that provides new encryption keys for every connection session. After revelations of U.S government snooping, multiple large Web properties, including Twitter, began to deploy Perfect Forward Secrecy in 2013 in an effort to harden security.
Though Clinton’s server wasn’t using the most advanced forms of cryptographic protections for her email, at this time, there is no indication of current certificate misuse, Bocek said.
“During the time Secretary Clinton was using ‘clintonemail.com’ with certificates and encryption, she traveled to China, Egypt, Israel and South Korea,” Bocek said. “The risks of eavesdropping and/or credential theft were and are real for both businesses and government travelers.”
2015 Cost of Failed Trust Report
The research for the 2015 Cost of Failed Trust Report, sponsored by Venafi and conducted by the Ponemon Institute, sheds some additional light on how organizations manage and use SSL/TLS certificates. The study surveyed 2,300 IT security professionals in the United States, the United Kingdom, Australia, France and Germany.
The study found that 54 percent of organizations admitted that they did not know how all their digital certificates were being used or even where they were all located.
Looking at the types of attacks that occur against cryptographic security, respondents indicated that man-in-the-middle (MITM) attacks were the most common, followed by attacks against weak cryptography. The use of weak cryptography is at the heart of the FREAK SSL/TLS flaw that was disclosed on March 3 and has since been patched by Apple and Microsoft.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.