[Linux-bruxelles] [Webbanking Fortis] Infos?

Henrion Benjamin bh at udev.org
Lun 20 Jan 22:18:10 CET 2003 

> Le Samedi 18 Janvier 2003 11:15, Emmanuel Di Pretoro a écrit :
>> On Fri, 17 Jan 2003 18:00:35 +0100
>>
>> RICHARD Thibault <thibault at itn.skynet.be> wrote:
>> > Mais avec la calculatrice cela fonctionne sous Linux et un autre
>> > browser que IE?
>>
>> Perso, j'utilise Opera sous Linux, et cela fonctionne nickel en ce qui
>> concerne le PC Banking. D'ailleurs, sur mon portable, j'ai
>> complètement viré W$ grâce à cela, entre autres ;-))

Source: http://anthony.lesuisse.com/AL-2002-03-01_cph.html

CPH.BE onlines services uses standard technologies

We all know that banks and technolgy doesn't usually mix very well.

You can found the list of all bank in belgium there
http://www.abb-bvb.be/, we wanted to open an account for our company on a
bank that meeted those criterias:
    * Online services usable, at least, under GNU/Linux, both i386 and ppc.
    * No PBX hell, easy ways to get an human on phone.

We searched, and called them one by one, it was awful. All banks are
reinventing the wheel, instead of using proven technology such as SSL.
The end-user non-native packages often use a java applet to encrypt the
data from the html forms. Using javascript to pass the data from thes
forms to the applet. An other solution (used by BBL) is to use
We all know that java (on client side) is doomed since microsoft doesn't
support it anymore.
The most shocking thing is that the entreprise oriented package, called
ISABEL, is based on the principe of sercurity by obscurity. It may be
secure but can't be sure about it.
Even online-only bank use such technology.
Bank Usable under Linux Native code needed javascript java applet
International payement sslFORTIS N ? ? ? ? ?
BBL Y Y Y ? N N
CBC Y N Y Y Y N
DEXIA N ? ? ? ? ?
CPH Y N N N N Y
Except one

Then we found CPH.BE, which use the following system. You get a certficate
in the .pfx format on disk (i suggest you to convert it to the .pem format
with openssl), you also get the X.509 pub key of the bank just in case of
dns hijacking.
The authentification use two step, first the ssl using your private pkcs12
key. Then an usual login/passwd on an IIS ASP server, using a cookie to
maintain your ASPSESSION.
All the following command can be done using regular GET/POST HTTP request.

You even have the possiblity to download and upload file in the CODA, CIRI
format.
It is simple and secure.

WARNING if you intend tu use curl(1) beware that there is a bug in the
Microsoft HTTP/SSL implementation and that you have to use curl a version
BELOW 7.9. Because modern version of curl are less tolerant to the
Microsoft bug.Usage for unix users

    * copy the the pfx file from the disk into your homedir
    * lauch mozilla
    * Edit -> Preferences -> Privacy & security -> Certificates -> Manages
    Certificates -> Your Certificates -> Restore.    * Warning mozilla will fisrt ask you the new passprashe before the
    file passphrase.    * choose the file
    * go to https://cphnet.cph.be/
    * optional: to convert your private key in a readable format use the
    command openssl pkcs12 -in 1234.pfx -out 1234.pem

Plus d'informations sur la liste de diffusion Linux-bruxelles