Is Password Protecting PDFs Enough? Try PDF Certificate Security

Security

There’s still a lot of confusion about the PDF file format. People are generally using it more than they did 10 years ago, in fact 70% of all email attachments are PDF documents and 80% of all non html documents on the web are PDF. This may be partly due to the ease and availability of PDF converters or “PDF Printers,” but regardless of this growth in usage, there’s still a lot of uncertainty as to what can and cannot be done with a PDF file.

In this article we’ll offer some clarity on a few common misconceptions about the security of the PDF format.

Misconception #1: Convert to PDF to prevent further changes

“If a print my MS Word document to PDF, other people can’t change it, right?”

Wrong. The PDF file format is used to “enable users to exchange and view electronic documents independent of the environment in which they were created or the environment in which they are viewed or printed.” In other words, it’ll look on your screen like it looks on mine, as if I gave you a piece of paper.

What a standard PDF file doesn’t do by default is protect the content from being edited. Anyone with a PDF editor (we know of a particularly great onewink!) can easily edit anything in the file–content, formatting, page order, etc.

Editing a PDF is probably easier than you think–have a look.

Misconception #2: Just set a password!

Well… kinda. What is true is that password security will give you control over (A) who can open the file, and (B) what they can do with it.

password security image

In other words, everyone who doesn’t have password A (seen above in the “Open password” field) cannot open the file, and everyone who doesn’t have password B (seen above in the “Permissions” field) can’t do anything outside of what’s selected in the “Changes allowed” field.

However, while this type of password protection is great for managing basic permissions, it’s not as secure as it gets. If the content of your file is valuable enough, an intruder could use simple tools to perform a brute-force attack on the file and gain access fairly easily. This method doesn’t give you very granular control, either. It’s pretty much all or nothing, you have the password(s), or you don’t.

For a step-by-step explanation of how to password protect a PDF file with Nitro Pro click here.

The Solution: Level-up with Certificate Security

All of us come across certificate security every day. Example: a web server showing you an HTTPS website (here’s an example) is using SSL encryption based on certificates to prevent eavesdropping and tampering.

In PDF security, however, instead of using the certificate to verify a server’s identity, we use it to verify a person’s identity. The certificate consists of two parts: the public key and the private key. You can create them yourself or purchase them, but you’ll first have to specify what you need them for. These settings will then be visible in the ‘usage’ properties of the key.

You can use Nitro Pro to create self-signed certificates—an identity certificate that is signed by the same entity whose identity it certifies—by creating or importing a Digital ID, but usually this is only acceptable when collaborating within an organization. If third parties are dealing with your PDF files, it’s usually preferable to buy a certificate from a trusted provider.

my digital ID

Each Digital ID you create (you can have multiple, with different settings) generates both a unique public key and a unique private key. You will need to have your public and private key accessible on your computer, as well as the public keys of other people that you want to work with on PDF files. Private keys are never shared with anyone and will always stay in the owner’s posession. As shown in the image below, you can use Nitro Pro to request public keys from collaborators:

manage trusted contacts

Once armed with the public keys of your collaborators, you can set specific permissions and define what they can and can’t do with the PDF files you’re working on together. In these examples:

John can edit;

certificate security image 1

Niall can comment, fill in forms, and sign;

certificate security image 2

However, Garth can only print. Sorry, Garth.

certificate security 3

Visit our community forum to read more about how to use the PDF certificate security features in Nitro Pro, including how to set up security profiles which allow you to save custom security settings and apply them to documents with one click. 

Is your company still reliant on paper? Learn why paper documents are a security risk in the workplace.

If you’d like to try Nitro Pro for yourself, download a free trial. Or, contact us to initiate a free trial for your whole team.