On Sun, Feb 7, 2021 at 5:10 PM Jean L <rip...@gmail.com> wrote: > Sure, you can have a man-in-the-middle setup, but if you don't have the > keys that quicken and the bank use to communicate and communications are > encoded, you can't get any data from being in the middle, unless I'm > missing something.
You assume Quicken is checking the remote key signature against its records. However, what Quicken most certainly does is just a regular HTTPS, because otherwise maintaining a database of signatures of the myriad of banks they support would be a PITA. So as long as the certificate is valid they're good to go. And since you have access to the system, you can install CA root to generate a valid certificate on demand to perform the MITM. Moreover, in some cases you can have the software to dump the Master-Secret log file, which can be read directly by Wireshark to decrypt the traffic. I've done this previously with a commercial Java-based Moneydance to decrypt their communication with Discover bank.[1] Google "Wireshark MITM" for more information. [1] https://stackoverflow.com/a/41078568 -- Regards, Dawid _______________________________________________ gnucash-devel mailing list gnucash-devel@gnucash.org https://lists.gnucash.org/mailman/listinfo/gnucash-devel
