John,
The URI scheme used to connect to US banks providing OFX DirectConnect
has always been https. The HTTP in the OFX specification refers to the
applications layer protocol. TLS/SSL is in the presentation.
The warning in the wiki was about the presence of the basic
authentication information in the application layer's log.
Regards,
Sherlock
On 12/2/25 9:43 PM, John Ralls wrote:
Sherlock,
Nope. While you’re correct that the *modern* OFX spec specifies https
connections, that wasn’t introduced until version 2.2, issued November 26,
2017. All previous versions specified this:
1.2.1 Data Transport
Clients use the HyperText Transport Protocol (HTTP) to communicate to an Open
Financial
Exchange server. The World Wide Web throughout uses the same HTTP protocol. In
principle, a
financial institution can use any off-the-shelf web server to implement its
support for Open
Financial Exchange.
And that’s what was used for OFX Direct Connect. Nearly all of the US banks
providing OFX DirectConnect used the older SGML-based version 1, the last version
of which was 1.6 from October 1999. And credentials were transmitted in plain text:
We had to include a warning about it in the OFX page:
https://wiki.gnucash.org/wiki/index.php?title=Setting_up_OFXDirectConnect&oldid=16643#Enabling_the_OFX_Log
(Note that’s the previous version that I wiped out on Sunday).
You can download some of the older specs from
https://www.financialdataexchange.org/FDX/FDX/About/OFX-Work-Group.aspx?a315d1c24e44=2
. Scroll down to Previous Versions at the bottom of the page.
Regards,
John Ralls
On Dec 2, 2025, at 14:54, Sherlock <[email protected]> wrote:
John,
All the OFX network communication is performed over https. The authentication
method is basic but it is encrypted. The client should be checking that the
certificate provided by the server is valid, otherwise, a MITM is possible. If
the client isn't checking, that isn't a flaw in OFX.
Regards,
Sherlock
On 12/2/25 1:51 PM, John Ralls wrote:
Sherlock,
OFX Direct Connect sends credentials and all data as plain text over an
unencrypted and unguarded (meaning no certificates to prevent a MITM) link. How
is that not completely insecure?
OFX itself is just a data stream format. Security is the job of the whatever is
sending the stream.
Regards,
John Ralls
On Dec 2, 2025, at 11:20 AM, Sherlock <[email protected]> wrote:
Hi John,
My only issue is with your criticism of OFX security. OFX is not "completely
insecure" and there is encryption.
FWIW, we still pull transactions regularly from four financial institutions in
the US.
Regards,
Sherlock
On 11/30/25 1:28 PM, John Ralls wrote:
On Nov 30, 2025, at 2:43 AM, Carl Ponder via gnucash-user
<[email protected]> wrote:
I'm running GnuCash 5.13 on Ubuntu 24.04 using the command
/usr/bin/flatpak run --branch=stable --arch=x86_64 --command=gnucash
--file-forwarding org.gnucash.GnuCash @@ %f @@
and trying to automatically download the transactions from my checking account
at Charles Schwab and VISA transactions from Bank of America.
Using the menu
Apps -> Office -> GnuCash -> Accounts -> Charles Schwab -> Tools ->
Online Banking Setup -> Start AqBanking Setup -> Create User ->
Select a Bank
I get a pane where I can enter the name "Charles Schwab" or "Bank of America",
but then it just hangs.
Also the letters show up slowly in the pane, it looks like it's trying to do a
lookup as I type, but not getting anything.
This page here
https://wiki.gnucash.org/wiki/Setting_up_OFXDirectConnect
mentions a https://www.ofxhome.com/ database, but as far as I can tell, this
URL doesn't exist.
Does GnuCash actually support online banking?
Not significantly in the USA. The one protocol we support, OFX Direct Connect,
is completely insecure and so very few (maybe no) banks still offer it. The
replacements are proprietary and require corporate vetting to license so it’s
not possible for either GnuCash or AqBanking to implement them.
Accordingly I’ve replaced
https://wiki.gnucash.org/wiki/Setting_up_OFXDirectConnect with a tombstone page
and put a header at the top of
https://wiki.gnucash.org/wiki/OFX_Direct_Connect_Bank_Settings declaring that
it’s of historical interest only.
That pane where you enter the name and click a button to look up the bank does depend
on ofxhome.com <http://ofxhome.com/> that no longer exists so you could set up
OFX Direct Connect manually if you had a bank that did still support it. I can tell
you categorically that neither Charles Schwab nor BofA do (nor does BNY Mellon, the
bank that Schwab uses for their cash sweeps).
Regards,
John Ralls
_______________________________________________
gnucash-user mailing list
[email protected]
To update your subscription preferences or to unsubscribe:
https://lists.gnucash.org/mailman/listinfo/gnucash-user
-----
Please remember to CC this list on all your replies.
You can do this by using Reply-To-List or Reply-All.
