Around Spring 2009: Clinton’s computer technician is advised to make a key improvement to the security of Clinton’s private server, but the improvement is never made.

When Bryan Pagliano, the manager of Clinton’s private server while she Clinton’s is secretary of state, will be interviewed by the FBI in December 2015, he will recall a conversation that takes place around the beginning of Clinton’s tenure. This person, whose name is later redacted, recommends that email transiting from a state.gov account to Clinton’s private server should be sent through a Transport Layer Security (TLS) “tunnel.” Most of Clinton’s email traffic is with State Department officials using state.gov accounts.

A diagram of the Transport Layer Security (TLS) (Credit: public domain)

A diagram described as Networking 101: Transport Layer Security (TLS) (Credit: public domain)

A September 2016 FBI report will explain: “TLS is a protocol that ensures privacy between communicating applications, such as web browsing, email, and instant messaging, with their users on the Internet. TLS ensures that no third-party eavesdrops on the two-way communication. TLS is the successor to SSL and is considered more secure.”

Pagliano is the main person to manage problems with the server, but he will tell the FBI that the transition to TLS never occurred. It is not clear why. The FBI will be unable to forensically determine if TLS was ever implemented on the server.

The same unnamed person who gives Pagliano this advice also tells him at the same time that he would not be surprised if classified information was being transmitted to Clinton’s personal server.  (Federal Bureau of Investigation, 9/2/2016)

March 29, 2009: For the first two months Clinton uses her private server for all her emails, it operates without the standard encryption generally used to protect Internet communication.

Clinton meets Chinese State Councillor Dai Bingguo in the Diaoyutai State Guesthouse in Beijing, China, on February 21, 2009. (Credit: Greg Baker / Getty Images)

Clinton meets Chinese State Councillor Dai Bingguo in the Diaoyutai State Guesthouse in Beijing, China, on February 21, 2009. (Credit: Greg Baker / Getty Images)

This is according to a 2015 independent analysis by Venafi Inc., a cybersecurity firm that specializes in the encryption process. Not until this day does the server receive a “digital certificate” that encrypts and protects communication over the Internet through encryption.

The Washington Post will later report, “It is unknown whether the system had some other way to encrypt the email traffic at the time. Without encryption—a process that scrambles communication for anyone without the correct key—email, attachments and passwords are transmitted in plain text.”

A Venafi official will later comment, “That means that anyone could have accessed it. Anyone.” (The Washington Post, 3/27/2016)

Clinton began sending emails using the server by January 28, 2009, but will later claim she didn’t start using it until March 18, 2009—a two-month gap similar to the two-month gap the server apparently wasn’t properly protected. Apparently, she has not given investigators any of her emails from before March 18. (The New York Times, 9/25/2015)

A 2016 op-ed in the Washington Post will suggest that security concerns during Clinton’s February 2009 trip to Asia could have prompted the use of encryption on her server. (The Washington Post, 4/4/2016)

An FBI report released in September 2016 will confirm that encyption only began in March 2009. It states that “in March 2009, [Bill Clinton aide Justin] Cooper registered a Secure Sockets Layer (SSL) encryption certificate at [Bryan] Pagliano’s direction for added security when users accessed their email from various computers and devices.” (Federal Bureau of Investigation, 9/2/2016)

March 29, 2009: The encryption certificate used on Clinton’s private server starting on this day has an unusually long duration.

It is valid for four years and then will be renewed with a five year certificate in 2013. Kevin Bocek, vice president of security company Venafi, will later say, “Most security professionals wouldn’t recommend that. Google uses three-month certificates.” The certificate used a standard strength 2,048-byte encryption key. However, it doesn’t use “perfect forward secrecy.” That means that if the key is broken, multiple emails can be accessed. (ComputerWorld, 3/11/2015)

A 2016 FBI report will confirm this, mentioning that the certificate is valid until September 13, 2013, at which time a new certificate is obtained which is valid until September 13, 2018. (Federal Bureau of Investigation, 9/2/2016)

March 4, 2015: Clinton’s private server used a misconfigured encryption system.

Alex McGeorge (Credit: CNBC)

Alex McGeorge (Credit: CNBC)

Alex McGeorge, head of threat intelligence at Immunity Inc., a digital security firm, investigates what can be learned about Clinton’s still-operating server. He says, “There are tons of disadvantages of not having teams of government people to make sure that mail server isn’t compromised. It’s just inherently less secure.” He is encouraged to learn the server is using a commercial encryption product from Fortinet. However, he discovers it uses the factory default encryption “certificate,” instead of one purchased specifically for Clinton.

Bloomberg News reports: “Encryption certificates are like digital security badges, which websites use to signal to incoming browsers that they are legitimate. […] Those defaults would normally be replaced by a unique certificate purchased for a few hundred dollars. By not taking that step, the system was vulnerable to hacking.”

McGeorge comments, “It’s bewildering to me. We should have a much better standard of security for the secretary of state.” (Bloomberg News, 3/4/2015)

March 5, 2015: Clinton’s private server is active and shows obvious security vulnerabilities.

A screenshot of the sslvpn.clintonemail.com log-in on March 4, 2015. (Credit: Gawker)

A screenshot of the sslvpn.clintonemail.com log-in on March 4, 2015. (Credit: Gawker)

Gawker reports that Clinton’s private email server is still active and shows signs of poor security. If one goes to the web address clintonemail.com, one gets a blank page. But if one goes to the subdomain sslvpn.clintonemail.com, a log-in page appears. That means anyone in the world who puts in the correct user name and password could log in.

Furthermore, the server has an invalid SSL certificate. That means the encryption is not confirmed by a trusted third party. Gawker notes, “The government typically uses military-grade certificates and encryption schemes for its internal communications that designed with spying from foreign intelligence agencies in mind,” and Clinton’s server clearly is not up to that standard.

It also opens the server to what is called a “man in the middle” hacker attack, which means someone could copy the security certificate being used and thus scoop up all the data without leaving a trace. The invalid certificate also leaves the server vulnerable to widespread Internet bugs that can let hackers copy the entire contents of a servers’ memory.

As a result, independent security expert Nic Cubrilovic concludes, “It is almost certain that at least some of the emails hosted at clintonemails.com were intercepted.” (Gawker, 3/5/2015)

Clinton still doesn’t shut the server down. However, about two days later, the security settings are changed.

Around March 7, 2015: Changes are made to the security settings of Clinton’s private server after its existence was revealed in the media.

In the days following a New York Times article revealing Clinton’s use of her private server, Cheryl Mills, who is one of Clinton’s lawyers as well as her former chief of staff, requests that Platte River Networks (PRN), the computer company managing Clinton’s server, conduct a complete inventory of all equipment related to the server. Two unnamed PRN employees do so.

This results in some changes to the server’s security settings around March 7, 2015. According to a September 2016 FBI report, these changes “include disabling the server’s public-facing VPN page and switching from SSL protocol to TLS to increase security.”

The FBI will explain: “TLS is a protocol that ensures privacy between communicating applications, such as web browsing, email, and instant-messaging, with their users on the Internet. TLS ensures that no third-party eavesdrops on the two-way conummication. TLS is the successor to SSL and is considered more secure.” (Federal Bureau of Investigation, 9/2/2016)