ofx direct connect

Mark Johnson mrj001 at shaw.ca
Thu Nov 9 22:45:45 EST 2006 

Jon Hamkins wrote:

> Mark Johnson wrote:
>
>> Jon Hamkins wrote:
>
>
>>> The bottom line is, MS Money is useless for identifying an OFX 
>>> server address, because it generates no direct traffic to an OFX 
>>> server.
>>
>
>> How does one know that the network traffic between msn money and your 
>> bank is also encrypted?  If yes (and it most likely is yes), what 
>> strength of encryption are they using?  One can set such things on 
>> one's own computer, but you have no control over theirs.
>
>
> You know that it's encrypted because MS Money cannot talk to an OFX 
> server without encryption.  My understanding is that the OFX protocol 
> is HTTP with SSL, with encrypted XML requests and responses.  On the 
> other hand, there is no way to verify that the MS servers are using 
> the OFX protocol; they could have back-room deals with financial 
> institutions to provide data (although that doesn't seem likely since 
> OFX is a cheap and easy setup that is already available from many banks).

You know that the connection between your computer running MS Money and 
msn money's server is encrypted.  I am not so certain you can make the 
same statement about the connection between msn money's server and your 
bank.  That connection is opened by msn money's server on your behalf, 
but does not directly involve your computer.  That is a second 
connection which does not directly involve your computer.

>
>> Using MS Money means you've trusted Microsoft to build the software 
>> to keep track of your money.  Fair enough.  The same could be said of 
>> any software.  Given the connections you observed, do they have 
>> access to your personal financial information?  That's a much higher 
>> level of trust than one expected when buying the software.  
>
>
> Yes, MS has all of your financial information.  They require an 
> enormous amount of trust from their customers.  All your financial 
> data lives on their servers, and indeed, you can access your data from 
> any internet connection (they advertise this as a feature, not hide it 
> as a security problem).
>
> What if you don't want your data on MS Money's servers?  No problem, 
> you can turn that feature off, but you'll no longer be able to 
> download transactions into Money.  Thank God there is such a thing as 
> gnucash!

Agreed.  I never before thought of entering all my transactions by hand 
as being a security feature.  Well, with gnucash it isn't, but with 
commercial software...

This is a huge advantage of open source.

>
>      ----Jon
>
>

More information about the gnucash-user mailing list