Download security price history for Quicken Windows 2007 recently broken by server changes

Sometime between November 8, 2019 and November 20, 2019, Quicken made a change to the server that provides security price downloads for Quicken Windows 2007. In a nutshell, they disabled TLS Version 1.0 and TLS Version 1.1 for HTTPS protocol. The problem is that Quicken Windows 2007 is too old to have the now-required TLS Version 1.2. I suspect that this was done as an attempt to "improve security".

I got very nice chat support from Quicken, and they said its an unsupported version of Quicken. No surprise. Gave me good advice that given the nature of my Quicken file, I should stick to Quicken for Windows, as I won't be able to migrate my investment accounts to Quicken for Mac. (I'm running Quicken Deluxe 2007 on Windows XP on Parallels on Mac OS X, as there was no usable Mac option when I switched from Windows to Mac.). So I'm not annoyed at Quicken, but I surely don't look forward to the migration process. Especially since they don't recommend continuing to update a converted file, but I have 35 years of history in that file, dating back to my first IRA account in the 1980's.

But I'm wondering if I can get any attention from Quicken developers here. There's really no reason to break this service, in fact there's no good reason to even have security price download require HTTPS and TLS.

When Quicken Windows 2007 wants to load security prices, it makes an HTTP POST like this:

POST /desktop/histquotes/?version=2007&sku=premier&os=win&country=us&build=16005 HTTP/1.1
Host: qw2007.quicken.com
Content-Type: application/qfn-encoded
Content-Length: 109

stk.0.sym=VNQ;stk.1.sym=VWO;stk.2.sym=VZ;stk.3.sym=WFC;stk.4.sym=WMT;stk.5.sym=XEL;stk.6.sym=XOM;range=5years

The HTTP response is:

HTTP/1.0 302 Found
Location: https://qw2007.quicken.com/desktop/histquotes/?version=2007&sku=premier&os=win&country=us&build=16005
Connection: Keep-Alive

Which is telling us to try the same request using HTTPS, which uses TLS for encryption.

With the curl program, I've verified that request fails if you use TLSv1.0 or TLSv1.1, but works if you use TLSv1.2.

TLSv1.2:

$ curl --tlsv1.2 -v --data-binary @/tmp/q -H "Content-Type: application/qfn-encoded" 'https://qw2007.quicken.com/desktop/histquotes/?version=2007&sku=premier&os=win&country=us&build=16005'
* Trying 209.234.225.180...
* Connected to qw2007.quicken.com (209.234.225.180) port 443 (#0)
* found 155 certificates in /etc/ssl/certs/ca-certificates.crt
* found 624 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
* server certificate verification OK
* server certificate status verification SKIPPED
* common name: qw.quicken.com (matched)
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: RSA
* certificate version: #3
* subject: C=US,ST=California,L=Menlo Park,O=Quicken\, Inc.,CN=qw.quicken.com
* start date: Mon, 30 Apr 2018 00:00:00 GMT
* expire date: Sat, 11 Jul 2020 12:00:00 GMT
* issuer: C=US,O=DigiCert Inc,CN=DigiCert SHA2 Secure Server CA
* compression: NULL
* ALPN, server did not agree to a protocol
> POST /desktop/histquotes/?version=2007&sku=premier&os=win&country=us&build=16005 HTTP/1.1
> Host: qw2007.quicken.com
> User-Agent: curl/7.47.0
> Accept: */*
> Content-Type: application/qfn-encoded
> Content-Length: 109
>
* upload completely sent off: 109 out of 109 bytes
< HTTP/1.1 200 OK
< Cache-Control: private
< Content-Type: text/plain
< Date: Tue, 26 Nov 2019 00:29:34 GMT
< Gzip: 0
< P3p: CP="PHY ONL UNI PUR FIN COM NAV INT DEM STA HEA CUR ADM DEV OUR IND"
< Server:
< Vary: Accept-Encoding
< Transfer-Encoding: chunked
<
qwin.output 38949
[VNQ]
fmt=date(yyyy-mm-dd),close,high,low,vol
q0=2014-11-28,80.5700,81.4400,80.4000,2225170
q1=2014-12-31,81.0000,83.0899,80.9249,4494515
q2=2015-01-30,86.5500,88.2500,86.5400,4969805
q3=2015-02-27,83.3700,83.5800,82.4300,4328243
[...]

TLSv1.0:

$ curl --tlsv1.0 -v --data-binary @/tmp/q -H "Content-Type: application/qfn-encoded" 'https://qw2007.quicken.com/desktop/histquotes/?version=2007&sku=premier&os=win&country=us&build=16005'
* Trying 209.234.234.180...
* Connected to qw2007.quicken.com (209.234.234.180) port 443 (#0)
* found 155 certificates in /etc/ssl/certs/ca-certificates.crt
* found 624 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* gnutls_handshake() failed: Handshake failed
* Closing connection 0
curl: (35) gnutls_handshake() failed: Handshake failed

But there is no reason to use HTTPS for requests to http://qw2007.quicken.com/desktop/histquotes/, since the only "customer secret" that would be passing over HTTPS is the list of securities, and that was already passed in cleartext in the HTTP POST that got the redirect to HTTPS. So the list of securities that I track the prices of is already non-secret. The security prices are also non-secret, since Quicken doesn't authenticate the client trying to access them.

So Quicken could do either of two things to restore Quicken Windows 2007 security price download:

1. Back out the change that required TLSv1.2, as the application will never be able to speak TLSv1.2.
2. Remove the configuration for the redirect from HTTP to HTTPS for this URL on that server, since it is not providing ANY privacy.

Best Answer

Answers

  • NotACPA
    NotACPA SuperUser ✭✭✭✭✭
    When you bought and Installed Q2007, you agreed to the "End User License Agreement" that stated that ALL ability to download into QW2007 would expire on 4/30/2010.
    Quicken/Intuit just recently discovered that certain servers which SHOULD have been deactivated then were overlooked.
    SO, you got a gift of about 9 years of downloads. 
    That gift won't be restored.

    Q user since February, 1990. DOS Version 4
    Now running Quicken Windows Subscription, Business & Personal
    Retired "Certified Information Systems Auditor" & Bank Audit VP

  • mshiggins
    mshiggins SuperUser ✭✭✭✭✭
    Is it just me or is it a bit worrisome that there was a server or servers that gave out quote data unbeknownst to Quicken for 9 years?

    Quicken user since Q1999. Currently using QW2017.
    Questions? Check out the Quicken Windows FAQ list

  • john.shriver
    john.shriver Member ✭✭
    To be precise I'm running "Quicken 2007 Premier Release R 5".

    volvogirl, I suspect that the reason it kept working was because Quicken Mac 2007 was using it.

    Of course, Quicken hasn't shut down the server. It's still there. Their third alternative is to shut it down, since no transactions will succeed. But maybe some supported versions that have TLSv1.2 still use it.
This discussion has been closed.