[GNC-dev] New OFX Requirements For USAA FSB

Dawid Wrobel me at dawidwrobel.com
Sun Feb 7 22:04:53 EST 2021

On Sun, Feb 7, 2021 at 5:10 PM Jean L <ripngo at gmail.com> wrote:

> Sure, you can have a man-in-the-middle setup, but if you don't have the
> keys that quicken and the bank use to communicate and communications are
> encoded, you can't get any data from being in the middle, unless I'm
> missing something.

You assume Quicken is checking the remote key signature against its records.
However, what Quicken most certainly does is just a regular HTTPS,
because otherwise
maintaining a database of signatures of the myriad of banks they
support would be a PITA.

So as long as the certificate is valid they're good to go. And since
you have access to the
system, you can install CA root to generate a valid certificate on
demand to perform the MITM.

Moreover, in some cases you can have the software to dump the
Master-Secret log file, which
can be read directly by Wireshark to decrypt the traffic. I've done
this previously with a commercial
Java-based Moneydance to decrypt their communication with Discover bank.[1]

Google "Wireshark MITM" for more information.

[1] https://stackoverflow.com/a/41078568


More information about the gnucash-devel mailing list