Dealing with Signature Shadow PDF "vulnerability"
David Hurka
david.hurka at mailbox.org
Mon Aug 3 13:09:38 BST 2020
Albert wrote:
> For example, you sign a pdf that says "sign to get your annual bonus" and
> then the PDF is modified to say "you're fired" and still have your
> signature on it.
>
> https://pdf-insecurity.org/download/exploits-shadow/hide.zip
>
> When opening the "forged" PDF file on Okular we currently display the "The
> document is digitally signed" banner (which is true, but not "the whole
> truth").
>
> It's not only until you open the properties of the signature that it says
> "there have been changes to the document since signed" and also provides a
> "Click here to see the version that was signed".
>
> I'd say that is good, but arguably a bit hidden.
>
> My suggestion would be to bring the "there have been changes to the document
> since signed" working to the "The document is digitally signed" banner.
>
> What do you think?
1) Okular is provided AS IS and WITHOUT WARRANTY, right?
If people rely on Okular, I think your suggestion makes sense.
2) But some users will probably interpret “The document” as “what you see
here”, despite the addition “there have been changes”. Just think of the poor
MS Word users who read “Please disable save viewing of this document” in their
everyday and scam documents. I think we should better say “A different version
of this document...”.
More information about the Okular-devel
mailing list