Port 1335: Digital Notary Protocol — When good intentions meet bad actors

What Port 1335 Was Built For

Port 1335 is registered to the Digital Notary Protocol, a service designed for digital timestamping and authentication of electronic documents.¹ The idea was straightforward: prove when a digital document existed by having a trusted third party cryptographically timestamp it.

This protocol emerged during the early development of digital authentication systems in the 1990s, before the industry standardized around RFC 3161 (published in 2001).² RFC 3161 defined the Time-Stamp Protocol (TSP), which became the widely adopted standard for trusted timestamping services.

The Digital Notary Protocol exists in that interesting historical space—registered with IANA, intended for legitimate use, but ultimately surpassed by later standards that did the job better.

The Registered Port Range

Port 1335 sits in the registered port range (1024-49151). These ports are assigned by IANA to specific services upon request, following review processes like IETF Review or Expert Review. Unlike well-known ports (0-1023) which require root privileges to bind, registered ports can be used by regular user applications.

This makes registered ports accessible for services that want an official assignment but don't need the privileged status of well-known ports. The Digital Notary Protocol fit this category—a legitimate service that needed a consistent port number.

When Other Things Move In

Here's the uncomfortable reality: port 1335 has been flagged in security databases as historically associated with trojans and malware.³ This doesn't mean the Digital Notary Protocol itself was malicious. It means that when a registered port doesn't see widespread use, malware authors sometimes adopt it for their own purposes.

An unused port is an open door. If legitimate traffic isn't flowing through port 1335, malicious traffic can use it without raising immediate suspicion. This is why security tools flag the port—not because the original service was bad, but because the port's relative obscurity made it attractive to bad actors.

This pattern repeats across the registered port range. A service gets registered, doesn't gain adoption, and the port number becomes available real estate for whatever wants to use it.

Checking What's Actually Using Port 1335

On Linux or macOS:

# See what's listening on port 1335
sudo lsof -i :1335

# Or using netstat
sudo netstat -tulpn | grep 1335

On Windows:

# See what's using port 1335
netstat -ano | findstr :1335

If you see something listening on port 1335, identify the process. It could be:

• A legitimate application that happens to use this port
• Malware that's specifically chosen this port
• A custom service you or someone else configured

The port number alone doesn't tell you intent. The process using it does.

Why Registered Ports Matter

The registered port range is where most custom network services live. These aren't the famous protocols everyone knows (HTTP, DNS, SSH), but they're still part of how the Internet's nervous system works.

Some registered ports become widely used—like port 3306 for MySQL or port 5432 for PostgreSQL. Others, like port 1335, remain obscure. But the registration system matters because it prevents conflicts. When you build a service, you can register a port and know that other legitimate services won't use that same number.

The system only works if people respect the assignments. Malware, by definition, doesn't.

The Story Port 1335 Tells

Port 1335 is the Internet in miniature. Someone had an idea—digital notarization, timestamping, proof of existence. They registered a port, built a protocol, tried to solve a real problem. The industry moved in a different direction. The standard that won was RFC 3161, and the Digital Notary Protocol faded.

But the port number remains. Still registered. Still technically assigned to that original purpose. And like any abandoned building, sometimes other things move in.

That's the reality of the registered port range. Not every port tells a success story. Some are just addresses where something once was, and might be again, for better or worse.

Related Ports

• Port 318 — TSP (Time Stamp Protocol), another early timestamping service
• Port 80 — HTTP, the protocol that carries most modern timestamping services
• Port 443 — HTTPS, where RFC 3161 timestamping typically runs today