OFX Support

Linas Vepstas linas@linas.org
Tue, 10 Dec 2002 13:47:31 -0600


On Tue, Dec 10, 2002 at 01:52:47PM -0500, Benoit Gr?goire was heard to remark:
> 
> Well, I have a fairly good idea how Quicken does it, and know the spec pretty 
> much in and out.  Perhaps I'd have better luck at sniffing, but as I said, 

Harumph.  At the time, I was working with an OFX server whose source
code I had full access to, as well as a specially modified copy of 
quicken (provided by intuit) that made it easy to probe and test.  
Quicken does *not* query the OFX server, and does not use the OFX 
protocol to obtain the list of URL's.  (circa 1998). Rather, it 
downloads a file from intuit containing bank identifiers and some 
other encrypted crap that I couldn't make out.  It then performs 
a second query to Intuit that somehow seemed to determine (well, 
this is weird, maybe I'm wrong) it seemed to know if you were a 
legit banking customer, and it did *not* attempt to contact the 
bank if you didn't have an account there.   Basically, I couldn't 
get it to connect to any other OFX server other than our own, and 
thus couldn't sniff URL's.  Given the armada of tools & access I 
had at the time, I walked away quite disappointed.

I did *not* have a windows binary disassembler, which would have
been needed for further progress.

> LibOFX to succesfully request bank servers from the Intuit server, but I 

Again, circa 1998, the list of servers was not delivered by ofx,
but rather with a plain-text, crlf-delimited file, with no special
markup. Four lines per bank, followed by a blank line.  The third
and fourth lines were encrypted.  I might still have a copy of this
file somewhere, maybe.

> doubt that would last very long once they notice... 

Wouldn't matter: with millions of quicken users, its not like
they can just turn this feature off.

> However, perhaps banks might let us do it "? la Quicken":  A centralized 
> server, run by an organisation.  

Well, lets think this through.  Once a cracker has the gnucash source 
code, then they have access to the list of banks on the central
server.  The only way to stop this is to force the user to not be 
anonymous, i.e. by registering each user, and then issueing them 
a unique key that grants them access to the central server.  Thus,
misbehaviour by miscreants can be tracked down according to the
registration of the key.

We conclude: the former approach provides no additional security
whatsoever, and the later approach has a large administrative 
overhead, a legal burden, and many distasteful personal-privacy issues.  

--linas


-- 
pub  1024D/01045933 2001-02-01 Linas Vepstas (Labas!) <linas@linas.org>
PGP Key fingerprint = 8305 2521 6000 0B5E 8984  3F54 64A9 9A82 0104 5933