Jump to content

Help talk:Security/PDF files

Add topic
From mediawiki.org
Latest comment: 6 months ago by TheTechie in topic Other PDF viewers

Translation

[edit]

Shouldn't this page be translatable? (ping Tgr). Danmichaelo (talk) 12:17, 12 April 2015 (UTC)Reply

It certainly should. I marked it for translation (I hope :) - not familiar with the translation workflow.) --Tgr (WMF) (talk) 19:55, 13 April 2015 (UTC)Reply

Linking to a pdf file

[edit]

Isn't it a bit ironic that a page warning about the security risks of PDFs links to a pdf file for more information? Legoktm (talk) 21:35, 3 June 2015 (UTC)Reply

And over HTTP to a social networking site, even. I found [1] but there is no HTTPS. Nemo 10:00, 3 April 2016 (UTC)Reply

Vague statement

[edit]

@Tgr (WMF): "Adobe Acrobat, with its default settings, is NOT safe." Can we clarify that? What exactly is meant by "safe" here? If we're going to make such scathing statements we should at least take the time to explain them. This, that and the other (talk) 03:39, 15 August 2015 (UTC)Reply

I believe that was based on T89744#1047730. 4.2.1 of [2] is also interesting, if a bit dated. --Tgr (WMF) (talk) 04:25, 15 August 2015 (UTC)Reply
The statement was meant in the context of that particular issue-- in all of my testing, opening a PDF document with Acrobat Reader (where all of the Reader options had been left as default) on Windows (I tested XP through 8, iirc) would automatically open the URL in the system's default web browser, thereby revealing the IP address of the reader to whoever owns the server where the URL points. CSteipp (WMF) (talk) 17:55, 21 September 2015 (UTC)Reply

Plugins

[edit]

What makes us believe that Firefox and Chrom(e|ium) plugins are the safest PDF readers? Nemo 10:00, 3 April 2016 (UTC)Reply

In general, I think all this information is too vague to be useful for real users. We should directly tell people to use either Firefox or Chromium plugins or a reader from https://pdfreaders.org , and at any rate avoid proprietary readers. --Nemo 16:28, 26 June 2017 (UTC)Reply

There are a couple reasons to expect browser-based PDF readers to be more safe:

  • the security problems around PDFs tend to be related to either web fetches or Javascript; those are both core competencies for browsers and huge amounts of (non-PDF-related) work have been applied to make them work safely. The same is not true for most other PDF client vendors.
  • security is much more of a reputation issue to browser vendors than to office tool vendors so it's reasonable to assume they invest much more resources into it. Past examples of how often security breaches happen and how they are handled seem to confirm this.
  • browsers are highly sophisticated sandboxes .Firefox implements PDF rendering in pure JS so even in the case of implementation errors the fallout is limited. Chrome is less safe but probably still uses the same sandboxing it generally uses for plugins.

Being opensource helps security-wise but it's not that important, IMO. The Chrome PDF viewer was in face closed-source until not so long ago. I would still have trusted it more than software written by a vendor in the desktop publishing space. --Tgr (WMF) (talk) 16:08, 4 July 2017 (UTC)Reply

linked texts are only in english ...

[edit]

...and there is no mention about it in the translations

i am used to the german wikipedia where every linked text in another language then german is marked as such, that is not the case in here so i would like to change it, only have i not the rights do do so. I tried to change the translation but there was no way to save it despite the warning that the changes havent been saved when leving the page. strange strage stragne... Please consider looking into it! thanks--T 2001:9E8:635E:FE00:C637:854B:F31A:2AEC 23:24, 2 April 2024 (UTC)Reply

I've applied your changes - they got stopped by an abuse filter false positive, which I agree the UI should display better. * Pppery * it has begun 00:22, 3 April 2024 (UTC)Reply

Other PDF viewers

[edit]

This page only talks about Acrobat, wouldn't it be better to talk about other PDF viewers and built in editors also? If you reply here, please ping me. TheTechie (talk) 20:22, 10 June 2024 (UTC)Reply

@TheTechie if you feel like researching whether various viewers / editors are vulnerable, sure. Otherwise I'm not sure what it could say that's not already said.
TBH I am not sure how relevant this warning is at all today. Acrobat X (the last known-to-be-vulnerable version, I think) was EOL in 2015. Tgr (WMF) (talk) 10:27, 13 June 2024 (UTC)Reply
@Tgr (WMF) Ah, okay, I see. thetechie@mwdocs: ~/talk/ $ 17:03, 13 June 2024 (UTC)Reply