HTTP/HTTPS Port-Blocking in WinINET

Internet Explorer (actually, WinINET, the network stack beneath IE) prohibits use of certain ports for HTTP(S) connections. The intent of this blocking is to prevent Cross Service/Protocol Request Forgery attacks. For instance, an attacker could use a HTML form to send a request to an unprotected mail server such that the mail server interprets the request as a valid (albeit poorly-formatted) request to send an email message. Such attacks are obviously interesting to spammers and other bad guys.

 

IE8's current port-block list contains:

 

    19 (chargen), 21 (ftp), 25 (smtp), 110 (pop3), 119 (nntp), 143 (imap2), 220 (imap3), 993 (secure imap)

 

Blocking ports 220 and 993 is new to IE8. 

 

Attempts to use these ports in HTTP/HTTPS URLs will result in a connection failure. At this time, WinINET does not offer users or administrators a mechanism to block additional ports or unblock ports.

 

Other browsers attempt to block other ports; Firefox, for instance, blocks a larger set of ports by default.