AIM 6: Err.. Port 443 Isn't Encrypting Anything But the Initial Login

A friend asked me what port AIM used and I guessed something along the lines of 5190. I wanted to check to make sure and, after issuing the command netstat -n from the comamnd prompt, I couldn’t find any port even close to that in use. But I did see 443 in use.. SSL, eh? I was connected to the IP 205.188.10.248 at port 443. Using Sam Spade, I did an IP Block check and sure enough it was America Online.

UPDATE: Originally, I wrote the following:

This means that all communication between AOL’s server and their AIM 6 chat client is very well encrypted — great news for users who wish to use AIM in an environment where the latest (and most aggressive) version of Websense is running. Even though all of my outbound connections at work are encrypted by default, it’s nice knowing that if I even accidently sign on with an insecure connection, my work-related, code-laden chats can’t be sniffed (so suck it, Websense!).

After my post, however, two friends suggested that it’s possible for AOL to just use port 443, not for SSL, but because it’s open on nearlly all firewalls. I then decided to do additional research and after being told that Ethereal and Packetyzer were out-of-style, I downloaded Wireshark, sniffed my packets and found that only the initial login is encrypted. The rest of everything, nick lists, conversations, etc are all sent in clear-text :| So now back to square one.. make sure your connection is fully encrypted or you use an HTTPS AIM proxy if you want to chat it up on networks that employ Websense and other hardcore tracking software.

Chrissy is a PowerShell MVP who has worked in IT for nearly 20 years, and currently serves as a Sr. Database Engineer in Belgium. Always an avid scripter, she attended the Monad session at Microsoft’s Professional Developers Conference in Los Angeles back in 2005 and has worked and played with PowerShell ever since. Chrissy is currently pursuing an MS in Systems Engineering at Regis University and helps maintain RealCajunRecipes.com in her spare time. She holds a number of certifications, including those relating to SQL Server, SuSE Linux, SharePoint and network security. She recently became co-lead of the SQL PASS PowerShell Virtual Chapter. You can follow her on Twitter at @cl.

Posted in Security
5 comments on “AIM 6: Err.. Port 443 Isn't Encrypting Anything But the Initial Login
  1. Legolas says:

    > This means that all communication [..] is very well encrypted

    Well, it hints at it, but there is nothing that would stop them from running whatever they want (say, an ftp server ;-) on port 443, I guess… They could just be using 443 because it will be open in most firewalls. Although I think you’re more than likely right…

  2. Chrissy says:

    Dude you are totally right :| It’s all clear-text after the initial login. I’ve updated the blog posting…

  3. sqopt says:

    A few things come to mind:
    1.) Use GAIM, which is perfectly functional, doesn’t have all the aol crapola on your screen, and for which teh crypt0r pluginz are available; and/or
    2.) Pipe all the traffic through tor. See tor.eff.org.

  4. DL says:

    we use Websense and block all my instant msger (AIM, Yahoo, MSN, IQC).

    I didn’ see 443 when I use neststat -an command

    How do I solve it? Please help !

  5. Well, as a vendor from the business side we are happy with the fact that Websense can aggressively track the communication. And, while encrypting the traffic will keep the message hidden, it also will throw up a big red flag for websense that something is going on out of the ordinary.

Leave a Reply

Your email address will not be published. Required fields are marked *

*