Sherlock, OFX Direct Connect sends credentials and all data as plain text over an unencrypted and unguarded (meaning no certificates to prevent a MITM) link. How is that not completely insecure?
OFX itself is just a data stream format. Security is the job of the whatever is sending the stream. Regards, John Ralls > On Dec 2, 2025, at 11:20 AM, Sherlock <[email protected]> wrote: > > Hi John, > > My only issue is with your criticism of OFX security. OFX is not "completely > insecure" and there is encryption. > > FWIW, we still pull transactions regularly from four financial institutions > in the US. > > Regards, > > Sherlock > > > On 11/30/25 1:28 PM, John Ralls wrote: >>> On Nov 30, 2025, at 2:43 AM, Carl Ponder via gnucash-user >>> <[email protected]> wrote: >>> >>> >>> I'm running GnuCash 5.13 on Ubuntu 24.04 using the command >>> >>> /usr/bin/flatpak run --branch=stable --arch=x86_64 --command=gnucash >>> --file-forwarding org.gnucash.GnuCash @@ %f @@ >>> >>> and trying to automatically download the transactions from my checking >>> account at Charles Schwab and VISA transactions from Bank of America. >>> Using the menu >>> >>> Apps -> Office -> GnuCash -> Accounts -> Charles Schwab -> Tools -> >>> Online Banking Setup -> Start AqBanking Setup -> Create User -> >>> Select a Bank >>> >>> I get a pane where I can enter the name "Charles Schwab" or "Bank of >>> America", but then it just hangs. >>> Also the letters show up slowly in the pane, it looks like it's trying to >>> do a lookup as I type, but not getting anything. >>> This page here >>> >>> https://wiki.gnucash.org/wiki/Setting_up_OFXDirectConnect >>> >>> mentions a https://www.ofxhome.com/ database, but as far as I can tell, >>> this URL doesn't exist. >>> Does GnuCash actually support online banking? >> Not significantly in the USA. The one protocol we support, OFX Direct >> Connect, is completely insecure and so very few (maybe no) banks still offer >> it. The replacements are proprietary and require corporate vetting to >> license so it’s not possible for either GnuCash or AqBanking to implement >> them. >> Accordingly I’ve replaced >> https://wiki.gnucash.org/wiki/Setting_up_OFXDirectConnect with a tombstone >> page and put a header at the top of >> https://wiki.gnucash.org/wiki/OFX_Direct_Connect_Bank_Settings declaring >> that it’s of historical interest only. >> That pane where you enter the name and click a button to look up the bank >> does depend on ofxhome.com <http://ofxhome.com/> that no longer exists so >> you could set up OFX Direct Connect manually if you had a bank that did >> still support it. I can tell you categorically that neither Charles Schwab >> nor BofA do (nor does BNY Mellon, the bank that Schwab uses for their cash >> sweeps). >> Regards, >> John Ralls > > _______________________________________________ > gnucash-user mailing list > [email protected] > To update your subscription preferences or to unsubscribe: > https://lists.gnucash.org/mailman/listinfo/gnucash-user > ----- > Please remember to CC this list on all your replies. > You can do this by using Reply-To-List or Reply-All. _______________________________________________ gnucash-user mailing list [email protected] To update your subscription preferences or to unsubscribe: https://lists.gnucash.org/mailman/listinfo/gnucash-user ----- Please remember to CC this list on all your replies. You can do this by using Reply-To-List or Reply-All.
