AIM 6: Err.. Port 443 Isn't Encrypting Anything But the Initial Login

A friend asked me what port AIM used and I guessed something along the lines of 5190. I wanted to check to make sure and, after issuing the command netstat -n from the comamnd prompt, I couldn’t find any port even close to that in use. But I did see 443 in use.. SSL, eh? I was connected to the IP at port 443. Using Sam Spade, I did an IP Block check and sure enough it was America Online.

UPDATE: Originally, I wrote the following:

This means that all communication between AOL’s server and their AIM 6 chat client is very well encrypted — great news for users who wish to use AIM in an environment where the latest (and most aggressive) version of Websense is running. Even though all of my outbound connections at work are encrypted by default, it’s nice knowing that if I even accidently sign on with an insecure connection, my work-related, code-laden chats can’t be sniffed (so suck it, Websense!).

After my post, however, two friends suggested that it’s possible for AOL to just use port 443, not for SSL, but because it’s open on nearlly all firewalls. I then decided to do additional research and after being told that Ethereal and Packetyzer were out-of-style, I downloaded Wireshark, sniffed my packets and found that only the initial login is encrypted. The rest of everything, nick lists, conversations, etc are all sent in clear-text :| So now back to square one.. make sure your connection is fully encrypted or you use an HTTPS AIM proxy if you want to chat it up on networks that employ Websense and other hardcore tracking software.

Chrissy is a Cloud and Datacenter Management & Data Platform MVP who has worked in IT for over 20 years. She is the creator of the popular SQL PowerShell module dbatools, holds a master's degree in Systems Engineering and is coauthor of Learn dbatools in a Month of Lunches. Chrissy is certified in SQL Server, Linux, SharePoint and network security. You can follow her on Twitter at @cl.

Posted in Security
5 comments on “AIM 6: Err.. Port 443 Isn't Encrypting Anything But the Initial Login
  1. Legolas says:

    > This means that all communication [..] is very well encrypted

    Well, it hints at it, but there is nothing that would stop them from running whatever they want (say, an ftp server ;-) on port 443, I guess… They could just be using 443 because it will be open in most firewalls. Although I think you’re more than likely right…

  2. Chrissy says:

    Dude you are totally right :| It’s all clear-text after the initial login. I’ve updated the blog posting…

  3. sqopt says:

    A few things come to mind:
    1.) Use GAIM, which is perfectly functional, doesn’t have all the aol crapola on your screen, and for which teh crypt0r pluginz are available; and/or
    2.) Pipe all the traffic through tor. See

  4. DL says:

    we use Websense and block all my instant msger (AIM, Yahoo, MSN, IQC).

    I didn’ see 443 when I use neststat -an command

    How do I solve it? Please help !

  5. Well, as a vendor from the business side we are happy with the fact that Websense can aggressively track the communication. And, while encrypting the traffic will keep the message hidden, it also will throw up a big red flag for websense that something is going on out of the ordinary.

Leave a Reply