The sad thing is you are being more careful with your system design than
your bank probably is. :-/ By the time you are running OpenBSD on your
banking computer, I suspect you have shifted the primary risk to the
other end of the wire...your bank is a bigger risk to your data than you
are.
Especially if the web programmers didn't take care to check every
POST/GET variable for SQL injection or other injections like simple html
injection, javascript injection.. No matter what operating system they
use on the banking server, any web script that allows any form of
malicious injection (through a post/get) is problematic.
An example:
http://z505.com/gng/fsf-gnu-site-easy-to-hack.htm
The FSF site is easily hacked to recommend OpenBSD as the operating
system of choice.
Many banks I checked were injection safe, from limited testing I did.
I was however able to find an exploit with the Royal Bank of Canada's
website, more than a year ago, unrelated to injection. It was a perl
script that hadn't been checked close enough by their programmers and
allowed money to be created on the fly, believe it or not. That's pretty
scary.
Alphanumeric (plus underscores) by default, is one good way to secure
most form/url processing scripts. Sure some form/url processing scripts
require more than alphanumeric.. such as punctuation. But tons of sites
are insecure mainly because they allow more than alphanumeric, numeric,
or alphabetic by default.
L505
p.s.I checked the openbsd site for many vulnerabilities once, and found
nothing after white hat attempts. Someone must have carefully coded the
url/post/get processing on the scripts that run the openbsd site.
Usually I can inject something into any site within a few
seconds/minutes.. but not on openbsd.org.. and quite frankly I wasn't so
surprised.
