3

I need to protect a set of PDF files that will be exposed to users on a webpage. PDF should only be readable, no other permission should be possible.

Using pdftk I have created "secured" PDF which I have tested both in various browsers. So far so good. 

pdftk input.pdf output protected.pdf owner_pw <PASSWORD_GOES_HERE>

But a colleague of mine pointed me a way which with Ghostscript 8.70 it is possible to remove the protection:

ghostscript -dNOPAUSE -dBATCH -sDEVICE=pdfwrite -sOutputFile=unprotected.pdf -c .setpdfwrite -f protected.pdf

Does this means that Ghostcript does not honor security permissions?

I wanted to try signing with a certificate, but I've seen that this can also be circumvented: http://ronin-group.org/misc_pdfsignatures.html

How to genuinely protect the content from PDF from users when serving them in web pages?

Rade_303
  • 905
  • 11
  • 28
  • What *exactly* do you want to achieve? What should be the scope of your 'protection'? (Because, in the end, if your PDF is readable by a human, it can also be scanned/photographed/transcribed... -- and then via OCR you can extract texts, and by other means you can extract images or other resources contained in it...) – Kurt Pfeifle Jan 26 '15 at 14:29
  • BTW, older Ghostscript versions (v8.70 is almost 6 years old!) indeed didn't honor security permissions in PDF. The more recent versions (v9.15 is the current one -- 13 releases after 8.70) do. They can even *set* (most of) the security parameters when generating a PDF. – Kurt Pfeifle Jan 26 '15 at 14:34
  • @KurtPfeifle I have tried v9.15 and the outcome is the same. As you replied, the PDF in that format cannot be protected from users. My colleagues will investigate the possibility to convert PDFs to SWFs (somebody suggested that) so that at least copying is as hard as possible. – Rade_303 Jan 26 '15 at 15:55
  • 1
    What type of "copying" do you want to prevent? If it is "copy'n'paste" of text, then you should try (with v9.15) adding the parameter `-dNoOutputFonts`. It should convert all your text's glyphs into vector shapes, which will then require the application of OCR before you can copy'n'paste again. (The PDF size will get larger, though.) – Kurt Pfeifle Jan 26 '15 at 16:01
  • 1
    Please consider also [this answer](http://stackoverflow.com/a/10082612/359307) of mine. – Kurt Pfeifle Jan 26 '15 at 16:02
  • Copy/paste but also printing should be prevented. But, PDF protection is inherently limited therefore it might insufficient to client's needs. I will need to see what they have to say. – Rade_303 Jan 26 '15 at 16:24
  • Our attitude for Ghostscript is that if you can open it for reading, or printing, then we will process it. Note that Ghostscript is not removing the permissions form your original PDF file, it is creating a new PDF file from the printing content of the old PDF file. This is akin to printing and then converting back into a PDF file. While we could manufacture a new PDF file with the original *user* permissions, we cannot add the owner permissions, because (unless you opened the file with the owner password) We don't *know* the owner password. – KenS Jan 26 '15 at 16:27
  • Frankly I'm with Kurt, PDF security is next to useless anyway. – KenS Jan 26 '15 at 16:28
  • @KenS the original PDF file does not have printing permission allowed, so Ghostscript is actually breaking security contract. You could argue that no contract was broken if the resulting PDF would be the one where all text was converted to raster images, but that is not the case here. But still, after all your answers I see now that PDF security is next to useless. – Rade_303 Jan 27 '15 at 11:11
  • Hmm, I'd have to see the PDF file to comment further. – KenS Jan 27 '15 at 11:16
  • Oh, also as Kurt says, that's an old version, it may not have properly checked the security permissions. – KenS Jan 27 '15 at 11:17

1 Answers1

4

"How to genuinely protect the content from PDF from users when serving them in web pages?"

You cannot.

Kurt Pfeifle
  • 86,724
  • 23
  • 248
  • 345
  • 1
    To be clear: the 'protection' you put onto a PDF can only ever make it more difficult (or even *very* difficult) to extract text, or print, or modify the file for "lay" users. But there is nothing that amounts to "genuine" protection. – Kurt Pfeifle Jan 26 '15 at 15:56