Quote
Originally posted by: jphelan
How unsafe was Clinton's email server?
But the real worry comes from two other public-facing ClintonEmail.com subdomains, which can allow anyone with the right URL to try to sign in.
One is sslvpn.clintonemail.com, which provides a login page that apparently uses an SSL VPN—a protocol that allows your web browser to create an encrypted connection to a local network from any internet connection—to users to access their email. That sounds secure, and under the right circumstances, for regular users, it can be. But there are two huge problems with using it for the Secretary of State's communications with her staff and others.
First: Anyone in the world with that URL can attempt to log in. It's unclear what exactly lies on the other side of this login page, but the fact that you could log into anything tied to the Secretary of State's email is, simply, bad. If the page above is directly connected to Clinton's email server, a login there could be disastrous, according to Robert Hansen, VP of security firm WhiteHat Labs:
It might be the administrative console interface to the Windows machine or a backup. In that case, all mail could have been copied.
What's more troubling is the fact that, at least as of yesterday, the server at sslvpn has an invalid SSL certificate. Digital certificates are used to "sign" the encryption keys that servers and browsers use to establish encrypted communications. (The reason that hackers can't just vacuum the internet traffic between your browser and Google's Gmail servers and read your email is that your browser is encrypting the data to a public encryption key. The reason that you know that you are encrypting to Google's key and not to, say, the People's Liberation Army's, is that the Gmail servers have a digital certificate from a trusted third-party confirming that the key is theirs.)
When you attempt to access sslvpn.clintonemail.com using Google's Chrome browser, this is what you see:
The apparent reason for that message is that the certificate used by Clinton's server is self-signed—verified by the authority that issued it, but not by a trusted third party—and therefore regarded by Google's Chrome browser as prima facie invalid. The government typically uses military-grade certificates and encryption schemes for its internal communications that designed with spying from foreign intelligence agencies in mind. But the ClintonEmail.com setup? "If you're buying jam online," says Hansen, "you're fine." But for anything beyond consumer-grade browsing, it's a shoddy arrangement.
Security researcher Dave Kennedy of TrustedSec agrees: "It was done hastily and not locked down." Mediocre encryption from Clinton's outbox to a recipient (or vice versa) would leave all of her messages open to bulk collection by a foreign government or military. Or, if someone were able to copy the security certificate Clinton used, they could execute what's called a "man in the middle" attack, invisible eavesdropping on data. "It's highly likely that another person could simply extract the certificate and man in the middle any user of the system without any warnings whatsoever," Hansen said.
The invalid certificate would have also likely left Clinton vulnerable to widespread internet bugs like "Heartbleed," which was only discovered last spring, and may have let hackers copy the entire contents of the Clinton servers' memory. Inside that memory? Who knows: "It could very well have been a bunch of garbage," said Hansen, or "it could have been her full emails, passwords, and cookies." Heartbleed existed unnoticed for years. A little social engineering, Hansen said, could give attackers access to Clinton's DNS information, letting them route and reroute data to their own computers without anyone realizing. "It's a fairly small group of people who know how to do that," Hansen noted, but "it's not hard—it's just a lot of steps."
Btw, java 7 and above refuses self signed certs.
Oh, Forkie.
Classification is top, bottom, front, and back. Classification of each paragraph and sentence (if higher/lower than the paragraph classification), classified by and declassification instructions.
After a fashion, you can see in about .01 sec if a document is classified. If you can't figure it then you have no business handling it.
Btw, Clinton had SAP (Special access Program) emails on her server and you get read in/out of any program involving that stuff. It's much higher classification than secret or confidential.....
