There's been some buzz recently about Hillary Clinton using a personal email server for official state business. The Wired piece is an interesting read:
http://www.wired.com/2015/03/clintons-email-server-vulnerable/
Probably the most surprising thing in the article for me is not about Hillary's email server at all. In discussing Hillary's invalid SSL certificate, the article casually mentions that the State Department uses a self-signed certificate, implying that their email could be compromised by a man-in-the-middle attack similar to what could target Hillary's email server. Here's a link that illustrates the invalid certificate:
https://www.state.gov/
At time of writing, the certificate belongs to Akamei, and not not to the State Department. The certificate was issued by Cybertrust and will expire in June 2015.
Does this imply that the State Department's email could be compromised? Probably not. It's unlikely they are using this certificate for their email servers - it's more likely that this is an unintentional misconfiguration of their CDN impacting only their public-facing website. That's a much smaller security issue than implied in the article.
http://www.wired.com/2015/03/clintons-email-server-vulnerable/
Probably the most surprising thing in the article for me is not about Hillary's email server at all. In discussing Hillary's invalid SSL certificate, the article casually mentions that the State Department uses a self-signed certificate, implying that their email could be compromised by a man-in-the-middle attack similar to what could target Hillary's email server. Here's a link that illustrates the invalid certificate:
https://www.state.gov/
At time of writing, the certificate belongs to Akamei, and not not to the State Department. The certificate was issued by Cybertrust and will expire in June 2015.
Does this imply that the State Department's email could be compromised? Probably not. It's unlikely they are using this certificate for their email servers - it's more likely that this is an unintentional misconfiguration of their CDN impacting only their public-facing website. That's a much smaller security issue than implied in the article.
Comments
Post a Comment