OFX Support

Benoit Grégoire bock@step.polymtl.ca
Tue, 10 Dec 2002 13:52:47 -0500 

On December 10, 2002 12:38 pm, Linas Vepstas wrote:
> > On Mon, Dec 09, 2002 at 08:07:02PM -0500, Benoit Gr?goire wrote:
> > > As I said in my last message, that information is queried at runtime by
> > > Quicken from a central Intuit server.  So yes, Intuit and Microsoft
> > > probably receive an update everytime a bank moves their server.
>
> At this point, do we know of the location of *any* OFX servers?

I know one, but don't have an account there.  As for my bank, I think it 
doesn't support direct query even from Quicken.

If it does, I may have a slightly better chance that others to get that info.  
Tough it's quite big (84.7 billion CAD assets), it's still a cooperative, and 
I know people fairly high up.

> At one point, I tried to sniff the protocol between quicken and
> intuit to see how they found the URL's, but was unsuccessful.
> (I could read parts of the transaction in plaintext, unencrypted,
> but not the part that mattered.)
>
> This is a barrier to entry for doing true live online transactions
> via OFX.  How are we going to get past this barrier?

Well, I have a fairly good idea how Quicken does it, and know the spec pretty 
much in and out.  Perhaps I'd have better luck at sniffing, but as I said, 
either my version on Quicken is too old, or my bank doesn't support it.  I'd 
probably need a recent version of Quicken to reverse-engineer.

But before I start work on that, I have to finish the export infrastructure in 
LibOFX.  It a prerequisite for request generation.   Work on that should 
probably be completed in february.  After that, I'll investigate request 
generation in much more detail.

But even if and when I do build the technological infrastructure to do it, we 
still have the problem of getting the adress for our users.  I am quite 
convinced that the banks will refuse to let us include their IP address in a 
text file (Fears they might have their server cracked may be unjustified, but 
fear of DOS attacks would probably be QUITE justified).  I may be able to get 
LibOFX to succesfully request bank servers from the Intuit server, but I 
doubt that would last very long once they notice... 

However, perhaps banks might let us do it "à la Quicken":  A centralized 
server, run by an organisation.  Perhaps we could pull it off with the help 
of RedHat?  They at least have a little brand recognition in the banking 
industry.

One thing for sure, we will have to make it a larger free software issue, or 
we won't pull it of on our own. 
-- 
Benoit Grégoire
http://step.polymtl.ca/~bock/