ofx direct connect

Jon Hamkins hamkins at alumni.caltech.edu
Thu Nov 9 11:20:27 EST 2006


Mark Johnson wrote:
> Jon Hamkins wrote:

>> The bottom line is, MS Money is useless for identifying an OFX server 
>> address, because it generates no direct traffic to an OFX server.

> How does one know that the network traffic between msn money and your 
> bank is also encrypted?  If yes (and it most likely is yes), what 
> strength of encryption are they using?  One can set such things on one's 
> own computer, but you have no control over theirs.

You know that it's encrypted because MS Money cannot talk to an OFX 
server without encryption.  My understanding is that the OFX protocol is 
HTTP with SSL, with encrypted XML requests and responses.  On the other 
hand, there is no way to verify that the MS servers are using the OFX 
protocol; they could have back-room deals with financial institutions to 
provide data (although that doesn't seem likely since OFX is a cheap and 
easy setup that is already available from many banks).

> Using MS Money means you've trusted Microsoft to build the software to 
> keep track of your money.  Fair enough.  The same could be said of any 
> software.  Given the connections you observed, do they have access to 
> your personal financial information?  That's a much higher level of 
> trust than one expected when buying the software.  

Yes, MS has all of your financial information.  They require an enormous 
amount of trust from their customers.  All your financial data lives on 
their servers, and indeed, you can access your data from any internet 
connection (they advertise this as a feature, not hide it as a security 
problem).

What if you don't want your data on MS Money's servers?  No problem, you 
can turn that feature off, but you'll no longer be able to download 
transactions into Money.  Thank God there is such a thing as gnucash!

      ----Jon



More information about the gnucash-user mailing list