Welcome to MSDN Blogs Sign in | Join | Help

HTTP/HTTPS Port-Blocking in WinINET

Internet Explorer (actually, WinINET, the network stack beneath IE) prohibits use of certain ports for HTTP(S) connections. The intent of this blocking is to prevent Cross Service/Protocol Request Forgery attacks.  For instance, an attacker could use HTML Forms to send a request to an unprotected mail server such that the mail server interprets the request as a poorly-formatted, but valid request, to send an email message.  Such attacks are obviously interesting to spammers and other bad guys.

 

IE8's current port-block list contains:

 

    19 (chargen), 21 (ftp), 25 (smtp), 110 (pop3), 119 (nntp), 143 (imap2), 220 (imap3), 993 (secure imap)

 

Blocking ports 220 and 993 is new to IE8. 

 

Attempts to use these ports in HTTP/HTTPS URLs will result in a connection failure.  At this time, WinINET does not offer users or administrators a mechanism to block additional ports or unblock ports.

 

Other browsers attempt to block other ports; Firefox, for instance, blocks a larger set of ports by default.

Published Wednesday, June 17, 2009 6:17 PM by EricLaw
Filed under: , ,

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

# IE8 RTW HTTP/HTTPS port-blocking expanded

PingBack from http://www.ditii.com/2009/06/18/ie8-rtw-httphttps-port-blocking-expanded/

Thursday, June 18, 2009 10:00 AM by IE8 RTW HTTP/HTTPS port-blocking expanded

# IE8 RTW Blocked Ports Set Expanded | PC Tips

PingBack from http://www.pctipsbox.com/ie8-rtw-blocked-ports-set-expanded/

Friday, June 19, 2009 6:49 AM by IE8 RTW Blocked Ports Set Expanded | PC Tips

Leave a Comment

(required) 
required 
(required) 

  
Enter Code Here: Required
 
Page view tracker