OFX Support
Benoit Grégoire
bock@step.polymtl.ca
Tue, 10 Dec 2002 13:52:47 -0500
On December 10, 2002 12:38 pm, Linas Vepstas wrote:
> > On Mon, Dec 09, 2002 at 08:07:02PM -0500, Benoit Gr?goire wrote:
> > > As I said in my last message, that information is queried at runtime by
> > > Quicken from a central Intuit server. So yes, Intuit and Microsoft
> > > probably receive an update everytime a bank moves their server.
>
> At this point, do we know of the location of *any* OFX servers?
I know one, but don't have an account there. As for my bank, I think it
doesn't support direct query even from Quicken.
If it does, I may have a slightly better chance that others to get that info.
Tough it's quite big (84.7 billion CAD assets), it's still a cooperative, and
I know people fairly high up.
> At one point, I tried to sniff the protocol between quicken and
> intuit to see how they found the URL's, but was unsuccessful.
> (I could read parts of the transaction in plaintext, unencrypted,
> but not the part that mattered.)
>
> This is a barrier to entry for doing true live online transactions
> via OFX. How are we going to get past this barrier?
Well, I have a fairly good idea how Quicken does it, and know the spec pretty
much in and out. Perhaps I'd have better luck at sniffing, but as I said,
either my version on Quicken is too old, or my bank doesn't support it. I'd
probably need a recent version of Quicken to reverse-engineer.
But before I start work on that, I have to finish the export infrastructure in
LibOFX. It a prerequisite for request generation. Work on that should
probably be completed in february. After that, I'll investigate request
generation in much more detail.
But even if and when I do build the technological infrastructure to do it, we
still have the problem of getting the adress for our users. I am quite
convinced that the banks will refuse to let us include their IP address in a
text file (Fears they might have their server cracked may be unjustified, but
fear of DOS attacks would probably be QUITE justified). I may be able to get
LibOFX to succesfully request bank servers from the Intuit server, but I
doubt that would last very long once they notice...
However, perhaps banks might let us do it "à la Quicken": A centralized
server, run by an organisation. Perhaps we could pull it off with the help
of RedHat? They at least have a little brand recognition in the banking
industry.
One thing for sure, we will have to make it a larger free software issue, or
we won't pull it of on our own.
--
Benoit Grégoire
http://step.polymtl.ca/~bock/