[GNC-dev] New OFX Requirements For USAA FSB

Sat Jan 30 01:19:14 EST 2021

On Samstag, 30. Januar 2021 05:11:44 CET John Ralls wrote:

> > On Jan 29, 2021, at 4:11 PM, Bob White <white.b at me.com> wrote:
> > 
> > Thanks, John,
> > 
> >> 
> >> Not mentioned in your emails is the response from USAA: A webpage reporting a server error instead of the usual 50x HTTP response code.
> > 
> > I do see a 400 in the Online Banking Transaction Window when attempting to download transactions in GNC:
> > 
> > AqBanking v6.2.5.0stable
> > Sending jobs to the bank(s)
> > Sorting commands by account
> > Sorting commands by account
> > Sorting commands by provider
> > Send commands to providers
> > Send commands to provider "aqofxconnect"
> > Locking customer "4563"
> > Sending request...
> > Connecting to server...
> > Resolving hostname "df3cx-services.1fsapi.com" ...
> > IP address is "45.60.151.211"
> > Connecting to "df3cx-services.1fsapi.com"
> > Connected to "df3cx-services.1fsapi.com"
> > Using GnuTLS default ciphers.
> > TLS: SSL-Ciphers negotiated: TLS1.3:ECDHE-RSA-AES-128-GCM:AEAD
> > Connected.
> > Sending message...
> > Message sent.
> > Waiting for response...
> > Receiving response...
> > HTTP-Status: 400 (Bad Request)
> > Unlocking customer "4563"
> >  
> >> 
> >> Also not mentioned in your emails: I suppose that you were able to download your transactions successfully with Quicken. Do you think you could install Wireshark (https://www.wireshark.org/#download) and collect what Quicken is sending?
> > 
> > It's been a while since I used Wireshark, but I did install install it.  Everything captured is encrypted.  I've never decrypted TLS in  Wireshark before.  Is there a tutorial available that doesn't require the use of Chrome or Netscape so I can capture while using the Quicken app?
> > 
> > If not, I guess I could try the Quicken Web interface via Chrome or Netscape and capture things that way.
> 
> Dang, I didn't think of encryption. I don't know how to do that, and since Quicken 
> 
> The Quicken web interface is I think different from OFX Direct Connect. If it's OFX Web Connect then it handles authentication differently and that's probably at least part of the problem.
> 
> I found a quicken community discussion that suggests that Quicken for Windows used IE to connect, so I'd imagine that Quicken for Mac would use WebKit. I don't know if Apple's installed WebKit uses openssl, but it might, in which case it might be possible to get a key log for the Quicken session. Total speculation, I've never done anything remotely like this.

You cannot do that without breaking the security. Wireshark can decrypt the traffic, but you need the private key of the server certificate (and I doubt that you will be able to get a hold of it).

The other method is to use a proxy that intercepts the traffic (mitm). Tools like ZAP (https://owasp.org/www-project-zap/) or the Burp Suite (https://portswigger.net/burp) would be something to look into. Be warned: if you don't clean up after you're done, using these methods may leave a security hole on your system!

Other than that, I am also interested in your findings as this problem also applies to other applications using AqBanking/LibOFX.

-- 

Regards

Thomas Baumgart

https://www.signal.org/       Signal, the better WhatsApp
-------------------------------------------------------------
morphir: so much confusion :S kmake, kdemake, qmake make cmake etc.
logixoul: you forgot cmakekde :)
morphir: and bakemeacake
-------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 868 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.gnucash.org/pipermail/gnucash-devel/attachments/20210130/8f50bbb3/attachment.sig>