Sherlock, Nope. While you’re correct that the *modern* OFX spec specifies https connections, that wasn’t introduced until version 2.2, issued November 26, 2017. All previous versions specified this:
> 1.2.1 Data Transport > Clients use the HyperText Transport Protocol (HTTP) to communicate to an Open > Financial > Exchange server. The World Wide Web throughout uses the same HTTP protocol. > In principle, a > financial institution can use any off-the-shelf web server to implement its > support for Open > Financial Exchange. And that’s what was used for OFX Direct Connect. Nearly all of the US banks providing OFX DirectConnect used the older SGML-based version 1, the last version of which was 1.6 from October 1999. And credentials were transmitted in plain text: We had to include a warning about it in the OFX page: https://wiki.gnucash.org/wiki/index.php?title=Setting_up_OFXDirectConnect&oldid=16643#Enabling_the_OFX_Log (Note that’s the previous version that I wiped out on Sunday). You can download some of the older specs from https://www.financialdataexchange.org/FDX/FDX/About/OFX-Work-Group.aspx?a315d1c24e44=2 . Scroll down to Previous Versions at the bottom of the page. Regards, John Ralls > On Dec 2, 2025, at 14:54, Sherlock <[email protected]> wrote: > > John, > > All the OFX network communication is performed over https. The > authentication method is basic but it is encrypted. The client should be > checking that the certificate provided by the server is valid, otherwise, a > MITM is possible. If the client isn't checking, that isn't a flaw in OFX. > > Regards, > > Sherlock > > > On 12/2/25 1:51 PM, John Ralls wrote: >> Sherlock, >> OFX Direct Connect sends credentials and all data as plain text over an >> unencrypted and unguarded (meaning no certificates to prevent a MITM) link. >> How is that not completely insecure? >> OFX itself is just a data stream format. Security is the job of the whatever >> is sending the stream. >> Regards, >> John Ralls >>> On Dec 2, 2025, at 11:20 AM, Sherlock <[email protected]> wrote: >>> >>> Hi John, >>> >>> My only issue is with your criticism of OFX security. OFX is not >>> "completely insecure" and there is encryption. >>> >>> FWIW, we still pull transactions regularly from four financial institutions >>> in the US. >>> >>> Regards, >>> >>> Sherlock >>> >>> >>> On 11/30/25 1:28 PM, John Ralls wrote: >>>>> On Nov 30, 2025, at 2:43 AM, Carl Ponder via gnucash-user >>>>> <[email protected]> wrote: >>>>> >>>>> >>>>> I'm running GnuCash 5.13 on Ubuntu 24.04 using the command >>>>> >>>>> /usr/bin/flatpak run --branch=stable --arch=x86_64 --command=gnucash >>>>> --file-forwarding org.gnucash.GnuCash @@ %f @@ >>>>> >>>>> and trying to automatically download the transactions from my checking >>>>> account at Charles Schwab and VISA transactions from Bank of America. >>>>> Using the menu >>>>> >>>>> Apps -> Office -> GnuCash -> Accounts -> Charles Schwab -> Tools -> >>>>> Online Banking Setup -> Start AqBanking Setup -> Create User -> >>>>> Select a Bank >>>>> >>>>> I get a pane where I can enter the name "Charles Schwab" or "Bank of >>>>> America", but then it just hangs. >>>>> Also the letters show up slowly in the pane, it looks like it's trying to >>>>> do a lookup as I type, but not getting anything. >>>>> This page here >>>>> >>>>> https://wiki.gnucash.org/wiki/Setting_up_OFXDirectConnect >>>>> >>>>> mentions a https://www.ofxhome.com/ database, but as far as I can tell, >>>>> this URL doesn't exist. >>>>> Does GnuCash actually support online banking? >>>> Not significantly in the USA. The one protocol we support, OFX Direct >>>> Connect, is completely insecure and so very few (maybe no) banks still >>>> offer it. The replacements are proprietary and require corporate vetting >>>> to license so it’s not possible for either GnuCash or AqBanking to >>>> implement them. >>>> Accordingly I’ve replaced >>>> https://wiki.gnucash.org/wiki/Setting_up_OFXDirectConnect with a tombstone >>>> page and put a header at the top of >>>> https://wiki.gnucash.org/wiki/OFX_Direct_Connect_Bank_Settings declaring >>>> that it’s of historical interest only. >>>> That pane where you enter the name and click a button to look up the bank >>>> does depend on ofxhome.com <http://ofxhome.com/> that no longer exists so >>>> you could set up OFX Direct Connect manually if you had a bank that did >>>> still support it. I can tell you categorically that neither Charles Schwab >>>> nor BofA do (nor does BNY Mellon, the bank that Schwab uses for their cash >>>> sweeps). >>>> Regards, >>>> John Ralls >>> > > _______________________________________________ > gnucash-user mailing list > [email protected] > To update your subscription preferences or to unsubscribe: > https://lists.gnucash.org/mailman/listinfo/gnucash-user > ----- > Please remember to CC this list on all your replies. > You can do this by using Reply-To-List or Reply-All. _______________________________________________ gnucash-user mailing list [email protected] To update your subscription preferences or to unsubscribe: https://lists.gnucash.org/mailman/listinfo/gnucash-user ----- Please remember to CC this list on all your replies. You can do this by using Reply-To-List or Reply-All.
