Dealing with Signature Shadow PDF "vulnerability"

Albert Astals Cid aacid at kde.org
Mon Aug 3 23:12:12 BST 2020 

El dilluns, 3 d’agost de 2020, a les 14:09:38 CEST, David Hurka va escriure:
> Albert wrote:
> > For example, you sign a pdf that says "sign to get your annual bonus" and
> > then the PDF is modified to say "you're fired" and still have your
> > signature on it.
> > 
> > https://pdf-insecurity.org/download/exploits-shadow/hide.zip
> > 
> > When opening the "forged" PDF file on Okular we currently display the "The
> > document is digitally signed" banner (which is true, but not "the whole
> > truth").
> > 
> > It's not only until you open the properties of the signature that it says
> > "there have been changes to the document since signed" and also provides a
> > "Click here to see the version that was signed".
> > 
> > I'd say that is good, but arguably a bit hidden.
> > 
> > My suggestion would be to bring the "there have been changes to the document
> > since signed" working to the "The document is digitally signed" banner.
> > 
> > What do you think?
> 
> 1) Okular is provided AS IS and WITHOUT WARRANTY, right?

I'm confused as to why you brought this up.

Are we going to answer "Okular is provided AS IS and WITHOUT WARRANTY, right?" to all the bugs we have in bugzilla and close them?

> If people rely on Okular, I think your suggestion makes sense.
> 
> 2) But some users will probably interpret “The document” as “what you see 
> here”, despite the addition “there have been changes”. Just think of the poor 
> MS Word users who read “Please disable save viewing of this document” in their 
> everyday and scam documents. I think we should better say “A different version 
> of this document...”. 

Not convinced that "A different version" is something "normal" people will understand, they need to grasp that 1 given file can contain more than one version of the document to understand what.

I'll ask my parents this week which of the two they would understand better, please if you have access to non tech people, do the same. Though maybe the answer I get is "digital signature what?"

Cheers,
  Albert

More information about the Okular-devel mailing list