AIM 6.0 protocol changes...

Sean Egan seanegan at
Thu Aug 23 01:02:21 EDT 2007

On 8/20/07, Thomas Hruska <thruska at> wrote:
> If AOL takes the '' (OSCAR) and BOS servers down,
> GAIM (along with all other third-party AIM clients) will lose access to
> the AIM service.  Figuring out how AIM talks to the new server is going
> to be tough.  AIM 6 probably verifies the SSL certificate that is sent
> by the server (that verification probably isn't complete**).  It'll
> probably have to be a man-in-the-middle-messing-with-Crypto-API-hooking
> attack to passively watch the decrypted traffic.

I very much doubt that AIM will shut off OSCAR anytime soon. Of AIM,
ICQ, Yahoo, and MSN, AIM is the only one that has not significantly
changed their protocol ever. You should be able to login with winaim
1.0, today, no problem.

Since then, they've even released libraries for third-party clients. I
do not think AOL is going to suddenly break compatibility with
everything other than AIM 6.

> * Ran a quick test by writing a script and connecting in and attempting
> to retrieve the first 6 bytes of the "Connection Acknowledge" command
> FLAP.  It just sat there attempting to read data until the connection
> timed out (it definitely connected).  I then verified that the script
> was working by connecting into, which, of
> course, gave me the expected response.  The protocol appears to have
> been significantly changed - such that existing code won't work - and
> perhaps the protocol has been replaced entirely with something new.

I ran a quick test by typing "" into my web
browser, and got:

Content-Length: 20
Content-Type: text/html;charset=utf-8
Content-Language: en

405 Method Not Allowed

GET is an unusual method to disallow. Without GET, the only useful
method I can imagine for maintaining an IM session would be CONNECT
(or possibly polling with POST).

I was going to test my hypothesis that this is just an HTTPS proxy,
but apparently Pidgin doesn't support HTTPS proxies ;).

Anyway, I doubt there's anything to worry about, but I've definitely
been proven wrong before.

Perhaps Mark has something to add?


PS You can get SSL'ed OSCAR by connecting to and
then everything else is normal. I had one of my summer of code
students try it last year, but he apparently hit a wall because the
SSL state is shared amongst each OSCAR connection or something.

More information about the Devel mailing list