Why it is so easy to remove PDF security & how to permanently protect PDFs.
Why password protection & certificates fail to protect PDFs, plus the best practices & tools to permanently prevent PDF sharing, copying, editing, and printing.
Ensuring the security of your PDF documents is essential in protecting sensitive and classified information, but preventing unauthorized access and modification can be a challenge. If you google “PDF security”, you’ll see hundreds of websites describing ways to bypass and remove PDF protection and providing the tools to do so. It is as easy as uploading the document to an online tool.
For organizations, this represents an existential threat. With GDPR and CPRA, consumer data privacy protections are the strongest they’ve ever been. Meanwhile, the risk to your stock price should sensitive board minutes, financial reports, trade secrets, or contracts leak is still immense. To prevent this from happening, you need to understand how traditional PDF security works, what the best practices are surrounding PDF distribution, and what software and services you can use to better protect your documents.
Understanding PDF security
There are several types of PDF security, but password security is the most common. Software such as Adobe Acrobat, Foxit PDF, SmallPDF, and various other online services and tools all offer this type of protection.
There are two types of PDF password:
- The PDF open password: This is used to determine who can open the file, as well as encrypt it.
- The permissions password: Used to control how a user can interact with a document – whether they can edit, print, copy/paste, etc.
If you can take anything away from this article, it should be that these passwords are not an effective way to protect document content from unauthorized access and modification.
While the owner password uses encryption, passwords are still generally short and usually quite easy for a computer to crack. Even if they are not, password removal tools such as those from Elcomsoft can remove password protection by using different types of attacks to guess the password.
But there are other, bigger issues with using an open password to prevent unauthorized access:
- Any user who has the password can share it (along with the document) with somebody else.
- You have to find a way to inform users of the password in a secure manner.
- Long, complex passwords are better, but impossible for users to remember.
- You should use different passwords for each PDF, but this could take hundreds of hours at scale to log and maintain them.
In practice, this makes it quite useless.
The security of the permissions password, meanwhile, is completely useless. Users can upload your protected PDF to any number of online tools to strip the permission password and trivially gain the ability to edit, copy, and print at will. They can then share the decrypted, unprotected document with anybody.
PDF certificates are the second most common PDF security mechanism. They are often seen as a more secure alternative to password-protected PDF files, and they are. You don’t have to worry about how to transmit passwords securely because it uses public key infrastructure (PKI). Users are also much less likely to share their private key vs a password, and files encrypted with a certificate are incredibly hard to crack.
The main issue is that PDF certificates are not designed to stop editing. They are simply a mechanism to exchange private and public keys. Once the user has decrypted the file, they can still do what they want with it. Certificates can also be finicky to use and manage, with the sender needing to have the user’s certificate in advance so that they can protect it with their public key.
We discuss the pros and cons of PDF passwords vs certificates in another blog.
Best practices to prevent PDF security removal
So what can you stop users from removing PDF security from your documents? Well, if you insist on using PDF passwords and certificates, follow these best practices:
- use a unique, long, and complex password for every copy of every document
- do not share the documents with users that you do not want to edit them
- ensure certificates are regularly revoked and securely maintained
- use strong encryption algorithms such as AES-256 bit
- train your employees on PDF security and the dangers of removing protection
- store PDFs in a secure environment, protected by multi-factor/biometric authentication
- use a reliable PDF viewer that implements security features effectively
- use digital signatures so that recipients can be sure the PDF came from you. Just be aware that they do not prove a document has not been tampered with due to exploits in signature validation.
- add watermarks to your PDFs that contain the recipient’s information (to discourage sharing)
If you follow these best practices, there’s a lower chance that somebody will intercept and gain access to your documents. Unfortunately, there’s little you can do to stop users who are authorized to view your documents from editing them or sharing them with unauthorized ones. Even user identifying watermarks won’t go that far, as they can be removed using PDF editing software.
To truly stop prevent users from removing PDF security, you’ll have to start looking at third-party software and services that don’t use passwords for protection.
Tools to protect PDF files: PDF file protection software & services
Various products on the market are intended to add additional security to PDF files in one way or another. Not only are they more secure but they have additional features such as the ability to expire documents on a fixed date or after a period of time.
We’ll quickly assess the three most popular options – PDF plugins, data rooms, and PDF DRM.
PDF security plugins
Not much needs to be said about PDF security plugins – they simply introduce more problems than they solve. A plugin from one manufacturer can stop another one from working, as can any update to the Reader application or any other plugin. Additionally, plugins aren’t vetted by Adobe (even if Certified) and may have serious security flaws, particularly the ones that require users to turn off security in Acrobat Reader to work. Attackers can even create plugins specifically to prevent another from functioning.
Ultimately, third-party PDF security plugins can only do so much to patch up the major document security weaknesses present in Adobe Acrobat. With the constant headache of compatibility on top and easy methods to attack plugins, they just aren’t worth it.
Secure data rooms have a more interesting proposition: what if you allowed users to open PDF files, but only on a secure server that you control? Theoretically, this would mean that anybody outside of the organization that wishes to view your documents would be subject to the same level of oversight and access control as your employees, with tools to prevent the copying of files to external devices. Usually, this is offered as a service by a data room provider, who will allow you to rent a secure server in the cloud that already has access controls applied and a shiny interface to boot.
Unfortunately, while data rooms may be useful in certain circumstances, they alone do not prevent unauthorized users from gaining access to files or copying them. Usually, access to the secure server space is authenticated via a username and password combination. This can be shared with unauthorized users just as a PDF password can. While yes, measures like IP address restrictions can be implemented, these can also be spoofed through the use of a VPN.
There are other issues with data rooms, too:
- By their very nature, they do not install any security software on the recipient’s PC. This means that they cannot prevent or detect screenshots when the window is not in focus and cannot prevent printing to file drivers.
- Multiple users can often log in at the same time with the same credentials.
- You’ll be uploading your sensitive content to the servers of a third-party, where it is decrypted. You cannot personally assess whether those servers are secure, won’t experience data loss, or won’t retain temporary files after deletion.
- Documents are accessed using a browser, which is not a secure environment. Browser plugins and development tools can be used to bypass security controls in some cases, and often temporary files containing unencrypted information are stored on the user’s local PC where they can be extracted.
Like PDF security plugins, PDF DRM applications try to provide a more secure set of controls for PDF files. PDF DRM software is typically entirely separate from the Adobe Acrobat security handler and does not rely on the application in any way. This allows them to implement a system that is secure from the ground up, rather than trying to patch holes in a sinking ship.
PDF DRM systems generally have three components: a licensing server, a secure PDF viewer application, and a “Writer” application that encrypts the PDF files. When the document issuer encrypts the file, they choose which controls they’d like to apply (stopping printing, copy-pasting, etc.). The document becomes inaccessible to anybody who does not have the correct decryption key, which is transmitted securely and transparently from the licensing server once an authorized user installs a license file.
The user can then open the file in their viewer application and only interact with it within the boundaries of the chosen controls. When it comes to PDF viewers, standalone applications are the most reliable and secure when compared to plugins to existing viewers or browser viewers, as they are much harder to manipulate and have greater control over the operating system.
A well-designed PDF DRM system with a standalone viewer makes it very difficult for users to send high-quality copies of a document to others or edit it. They also typically contain additional measures not seen in plugins or data rooms, such as the ability to lock specific documents to devices to prevent sharing, prevent screenshotting, and printing to unprotected PDFs.
How to prevent users from removing PDF security using Locklizard
Because Locklizard does not use passwords and uses its own Reader software to enforce restrictions, users cannot bypass or remove the protection.
Locklizard Safeguard DRM uses a combination of encryption, secure licensing and key management, and DRM controls to ensure that documents cannot be edited, copied, printed or shared, regardless of who is using them and where they are stored. These controls are simple to apply, and access and license distribution are managed via a central portal.
Here’s how to protect a PDF and prevent users from removing the protection:
- Right-click on a PDF in File Explorer and select “Make secure PDF”.
- Protect the PDF from unauthorized use by ticking the relevant controls. We recommend that you add a watermark to identify users. Safeguard creates permanent dynamic watermarks that cannot be removed using PDF editing software.
- Locklizard will automatically protect a PDF from copying text and images, but you may want to take additional steps to protect your PDF from screen capture. Without screen capture protection, a user can screengrab your PDF and import it into an optical character recognition tool to make the text editable. To prevent this, open the “Environment Controls” tab and tick “Disallow screen capture” and optionally “Add screen mask” which covers the viewer window with an image if focus is moved away from it.
- Press the “Publish” button at the bottom of the window.
Your protected PDF file will output to its source folder in the .pdc format and you can safely share it knowing that nobody can access it without a valid license.
- Add a user account and send them their license via the Safeguard admin portal.
With the PDF published, you’ll need to send your recipients the encrypted .pdc file, alongside a download link for the secure PDF reader application and a valid license. The simplest way of doing so is by ticking “Email license” when you add a new user. See how to add a new user and grant them document access.
Safeguard Secure PDF viewer cannot have its anti-editing controls bypassed because it does not have the ability to edit in the first place – only highlight and add annotations. It also does not have copy and paste functionality, Save As functionality to convert to other files formats, and does not allow printing to file drivers. You can choose whether to allow screenshots or printing and enable watermarks when you do to make re-scanning or using OCR tools difficult.
In summary, the following PDF security solutions are clearly not adequate for the protection of sensitive and confidential information.
- Adobe password protection is useless – open passwords can be shared and permissions instantly removed.
- Data rooms don’t offer much additional security and require you to upload documents to a server that is not under your control.
- PDF plugins suffer from compatibility issues, are easily bypassed, and can introduce security vulnerabilities.
There is simply no denying, then, that PDF DRM is the best way to prevent users from removing PDF security. A well-designed PDF DRM system will leave users with no route to bypass controls and edit, print, share, screenshot, or copy and paste a document. It will also introduce new and more granular controls that allow you to apply only the restrictions that are necessary for your use case.