How Usenet SSL Encryption Works: Ports, TLS, and 256-Bit Security

SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security) encrypt the connection between your newsreader and the Usenet server. When you connect to NewsDemon on port 563, a TLS handshake establishes an encrypted tunnel. Everything that passes through that tunnel, your login credentials, the newsgroups you access, the articles you download, the posts you make, is encrypted and unreadable to anyone between you and the server. That includes your ISP, your network administrator, and anyone snooping on your Wi-Fi.

Our security overview covers the basics. This page goes deeper on how SSL/TLS actually works for Usenet connections.

Port 563 (SSL/TLS) — Always Use This

Port 563 is the standard NNTP-over-SSL port. When your newsreader connects on this port, the TLS handshake happens before any NNTP commands are sent. Everything is encrypted from the first byte. This is the port you should use for all connections to NewsDemon.

Port 443 (Alternative SSL) — Backup Option

Port 443 is the standard HTTPS port. Some ISPs or corporate firewalls block port 563 but leave 443 open because it is used for regular web browsing. If you cannot connect on port 563, try 443. The encryption is identical; only the port number changes.

Port 119 (Unencrypted) — Do Not Use

Port 119 is the original NNTP port with no encryption. Your ISP can see everything: which newsgroups you access, which articles you download, your username and password. There is no reason to use port 119 in 2026. Some ISPs actively throttle traffic on this port because they can identify it as Usenet.

When your newsreader connects to NewsDemon on port 563, the following happens in the background:

1. Client Hello. Your newsreader sends a message listing which TLS versions and cipher suites it supports.

2. Server Hello. NewsDemon responds with the TLS version and cipher suite it selected, plus its SSL certificate.

3. Certificate verification. Your newsreader checks that the certificate is valid, issued by a trusted authority, and matches the server hostname.

4. Key exchange. Both sides generate a shared session key using asymmetric cryptography. This session key is unique to your connection.

5. Encrypted session begins. All subsequent data (NNTP commands, article transfers, authentication) is encrypted with the session key using a symmetric cipher like AES-256.

This entire process takes milliseconds. You do not notice any delay. The encryption overhead on modern hardware is negligible, typically under 1% of your CPU and no measurable impact on throughput.

NewsDemon supports 256-bit AES encryption. AES-256 is the same cipher used by banks, governments, and military communications. The "256-bit" refers to the key length: there are 2^256 possible keys, a number so large that brute-force cracking is computationally impossible with any technology that exists or is foreseeable.

In practical terms: nobody is decrypting your Usenet traffic. Not your ISP, not a hacker on your Wi-Fi, not a government agency performing passive surveillance. The math makes it impossible without the session key, which only your computer and the NewsDemon server have.

SSL protects the content. Your ISP cannot see what you are downloading, which newsgroups you visit, or your login credentials. They can see that you are connecting to news.newsdemon.com, but nothing about what happens inside that connection.

A VPN protects the destination. With a VPN enabled, your ISP cannot even see that you are connecting to a Usenet server. They see only a connection to the VPN server. The VPN wraps around the SSL connection, so you get two layers of encryption.

For most users, SSL alone is sufficient. A VPN adds value if your ISP throttles Usenet traffic, if you are on an untrusted network, or if you want to hide the fact that you use Usenet at all.

Some ISPs use Deep Packet Inspection (DPI) to identify and throttle specific traffic types. Unencrypted NNTP traffic on port 119 is easy to identify and throttle. SSL-encrypted traffic on port 563 is much harder for DPI to classify because the content is encrypted.

If you suspect your ISP is throttling Usenet, the first step is to make sure you are using SSL. If you are already on SSL and still seeing slow speeds, try port 443 (harder for ISPs to block without breaking all HTTPS traffic). If that does not help, a VPN will bypass ISP-level throttling entirely.