Christian Paller is a Solutions Engineer in Nitro’s Dublin, Ireland office. Though he grew up in the middle of a wine region, he much prefers to drink beer. Christian says that he despises paper so much, it’s surprising he hadn’t started working for Nitro much sooner.
There’s still a lot of confusion about the PDF file format. People are generally using it more than they did 10 years ago, in fact 70% of all email attachments are PDF documents and 80% of all non html documents on the web are PDF. This may be partly due to the ease and availability of PDF converters or “PDF Printers,” but regardless of this growth in usage, there’s still a lot of uncertainty as to what can and cannot be done with a PDF file.
In this article we’ll offer some clarity on a few common misconceptions about the security of the PDF format.
Misconception #1: Convert to PDF to prevent further changes
“If a print my MS Word document to PDF, other people can’t change it, right?”
What a standard PDF file doesn’t do by default is protect the content from being edited. Anyone with a PDF editor (we know of a particularly great one, wink!) can easily edit anything in the file–content, formatting, page order, etc.
Editing a PDF is probably easier than you think–have a look.
Misconception #2: Just set a password!
Well… kinda. What is true is that password security will give you control over (A) who can open the file, and (B) what they can do with it.
In other words, everyone who doesn’t have password A (seen above in the “Open password” field) cannot open the file, and everyone who doesn’t have password B (seen above in the “Permissions” field) can’t do anything outside of what’s selected in the “Changes allowed” field.
However, while this type of password protection is great for managing basic permissions, it’s not as secure as it gets. If the content of your file is valuable enough, an intruder could use simple tools to perform a brute-force attack on the file and gain access fairly easily. This method doesn’t give you very granular control, either. It’s pretty much all or nothing, you have the password(s), or you don’t.
All of us come across certificate security every day. Example: a web server showing you an HTTPS website (here’s an example) is using SSL encryption based on certificates to prevent eavesdropping and tampering.
In PDF security, however, instead of using the certificate to verify a server’s identity, we use it to verify a person’s identity. The certificate consists of two parts: the public key and the private key. You can create them yourself or purchase them, but you’ll first have to specify what you need them for. These settings will then be visible in the ‘usage’ properties of the key.
You can use Nitro Pro to create self-signed certificates—an identity certificate that is signed by the same entity whose identity it certifies—by creating or importing a Digital ID, but usually this is only acceptable when collaborating within an organization. If third parties are dealing with your PDF files, it’s usually preferable to buy a certificate from a trusted provider.
Each Digital ID you create (you can have multiple, with different settings) generates both a unique public key and a unique private key. You will need to have your public and private key accessible on your computer, as well as the public keys of other people that you want to work with on PDF files. Private keys are never shared with anyone and will always stay in the owner’s posession. As shown in the image below, you can use Nitro Pro to request public keys from collaborators:
Once armed with the public keys of your collaborators, you can set specific permissions and define what they can and can’t do with the PDF files you’re working on together. In these examples:
John can edit;
Niall can comment, fill in forms, and sign;
However, Garth can only print. Sorry, Garth.
Visit our community forum to read more about how to use the PDF certificate security features in Nitro Pro, including how to set up security profiles which allow you to save custom security settings and apply them to documents with one click.