As documented below, a few security concerns have surfaced regarding the special private email server solution.  These findings document the need for robust encryption and email server best practices that are beneficial in protecting sensitive information.  However some basic protection was in place, and so far no security breaches have been reported with this special arrangement.

Venafi’s analysis shows the certificates to all be domain-validated, as opposed to the more rigorously audited Extended Validation (EV-SSL) certificates that can also be used to secure servers. Looking at the underlying technology for the server, Bocek said that is running Microsoft’s Internet Information Server (IIS) 7 Web server for Web services. The server is not leveraging Perfect Forward Secrecy (PFS), which is an SSL/TLS server deployment option that provides new encryption keys for every connection session. After revelations of U.S government snooping, multiple large Web properties, including Twitter, began to deploy Perfect Forward Secrecy in 2013 in an effort to harden security. Though Clinton’s server wasn’t using the most advanced forms of cryptographic protections for her email, at this time, there is no indication of current certificate misuse, Bocek said.

However, when digital security consultant Alex McGeorge examined Clinton’s e-mail set-up this week he found it used a default encryption “certificate,” instead of one purchased specifically for Clinton’s service. Encryption certificates are like digital security badges, which websites use to signal to incoming browsers that they are legitimate. “It’s bewildering to me,” he said. “We should have a much better standard of security for the secretary of state.”.

Using a scanning tool called Fierce that he developed, Robert Hansen, a web-application security specialist, found what he said were the addresses for Microsoft Outlook Web access server used by Clinton’s e-mail service, and the virtual private network used to download e-mail over an encrypted connection. If hackers located those links, they could search for weaknesses and intercept traffic, according to security experts.  Those defaults would normally be replaced by a unique certificate purchased for a few hundred dollars. By not taking that step, the system was vulnerable to hacking.

That’s a little like buying software that comes with a default security password of “password” and then never changing it. This isn’t the first time this week that an expert’s claimed that Hillary’s e-mail set-up was insecure either. MKH noted last night that an IT person at the State Department had warned Hillary’s team that a private server wasn’t as secure as federal servers were.