on 05-09-2018 10:10 PM
PEXA's digitial certificate software download is signed with a certificate issued to 'pexa.net.au'. Why should anyone trust software signed by a website? Especially one that is not in use? It is trivial to register website names, and numerous 'pexa.' domains are available for registration now by anyone. How are we to discern whether pexa.net.au is actually owned by the Property Exchange Australia Limited? How then, are we to determine whether to trust the signer and install this software?
The software should be signed with a certificate issued to PROPERTY EXCHANGE AUSTRALIA LIMITED.
Surely PEXA does not think that users should ignore incorrect security certification of its software? Or that we should trust anything with 'PEXA' in it somewhere? This is EXACTLY how fake (malicious) software is promulgated.
Here is a snip of what the digital signatures look like on correctly signed software by two other well known software companies (left hand side) and on the right-hand side, a snip of the PEXA software signature. (Red markup added by me for emphasis)
I posted about this in the general forum section, but received no response.
on 06-09-2018 09:47 AM
Hi @Andrew_GC, thanks for posting this, pexa.net.au is a PEXA domain. I have shared this with our security team to find out more information.
on 10-09-2018 08:43 AM
Hi @Andrew_GC - the team are looking into it so hoping to share more info with you asap.
on 12-10-2018 02:54 PM
Sooo.... any news? I would have thought a month was enough time for your security team respond?
on 15-10-2018 09:02 AM
Hi @Andrew_GC - our security team have reviewed the Digital Certificate package and it will soon be updated to show Property Exchange Australia. Thanks for bringing this is our attention.