The arguments in the media about the Hillary Clinton email scandal tend to center around whether or not her use of personal email broke the law, or at the very least that she used a system which didn't provide the record-keeping, and backup functions as required by law. But, there is a much bigger issue in this latest of Clinton scandals--- national security. Here was the Secretary of State using a private server located in her home without the same protections as a government server to send her sometimes-sensitive communications. Any good hacker could have gotten into her emails.
Sam Biddle at Gawker spoke to computer security experts who warned that Clinton's use of her personal emails on her private system which didn't provides the same automatic security as the federal server, may have put some of our nation's secrets at risk.
"It is almost certain that at least some of the emails hosted at clintonemails.com were intercepted," independent security expert and developer Nic Cubrilovic told Gawker.
Apparently Clinton's email domain (Clintonemail.com) had "two other public-facing ClintonEmail.com subdomains, which can allow anyone with the right URL to try to sign in."
Any hacker anywhere in the world who figures out the right URL can try and log in. North Korea was able to log into the Sony system. If they attacked clintonemail.com they could have achieved the same successes. In 2013 a hacker who got into Clinton adviser Sidney Blumenthal’s email, uncovered Ms. Clinton’s use of private email, making it public knowledge. Since then the Secretary of State's account became fair game for hackers.
When “Guccifer” (who was later identified as Marcel Lazar Lehel) breached Blumenthal’s account, he discovered an assortment of correspondence sent to Hillary Clinton at the e-mail address firstname.lastname@example.org.
Some of the Blumenthal hacked emails included sensitive confidential emails about foreign governments, so it is reasonable to assume that once "the Guccifer" hack exposed Hillary's private email account email@example.com, that other hackers went after her private system.
What's more troubling is the fact that, at least as of yesterday [the Clinton server] has an invalid SSL certificate. Digital certificates are used to "sign" the encryption keys that servers and browsers use to establish encrypted communications. (The reason that hackers can't just vacuum the internet traffic between your browser and Google's Gmail servers and read your email is that your browser is encrypting the data to a public encryption key. The reason that you know that you are encrypting to Google's key and not to, say, the People's Liberation Army's, is that the Gmail servers have a digital certificate from a trusted third-party confirming that the key is theirs.)
(...) the certificate used by Clinton's server is self-signed—verified by the authority that issued it, but not by a trusted third party—and therefore regarded by Google's Chrome browser as prima facie invalid. The government typically uses military-grade certificates and encryption schemes for its internal communications that designed with spying from foreign intelligence agencies in mind. But the ClintonEmail.com setup? "If you're buying jam online," says Hansen, "you're fine." But for anything beyond consumer-grade browsing, it's a shoddy arrangement.
Computer security expert David Kennedy said something similar when interviewed by Greta Van Susteren on her show Wednesday (see video below).
Technology site Gizmodo, raised a totally different issue, email sites with similar names.
...another valid domain, clintonmail.com, owned by somebody else with the last name Clinton since 2002 (note the lack of an "e," which is the only difference between it and Hillary Clinton's domain). "How many emails meant for the Secretary of State has the owner of clintonmail.com received?" [Patrick] Nielsen of [Kaspersky Lab]asked, adding that this isn't a problem with .gov domains since only the government can register them. "In short, from a security perspective, using your own email address to conduct official business is a very bad idea, explains Nielsen.
As Secretary of State Clinton knew very well the dangers of non-governmental email accounts. In 2012 Scott Gration the U.S. Ambassador to Kenya was forced out of his position because of an Inspector General report that blasted his performance partially because of his use of G-Mail instead of the State Department's email
He drafted and distributed a mission policy authorizing himself and other mission personnel to use commercial email [G-mail] for daily communication of official government business. During the inspection, the Ambassador continued to use commercial email for official government business. The Department email system provides automatic security, record-keeping, and backup functions as required. The Ambassador’s requirements for use of commercial email in the office and his flouting of direct instructions to adhere to Department policy have placed the information management staff in a conundrum: balancing the desire to be responsive to their mission leader and the need to adhere to Department regulations and government information security standards.
If the Ambassador to Kenya got an awful performance report which forced him to resign, logic dictates that the Secretary of State would know about it possibly even before the ambassador himself found out.