10 things you really wished you had known about PDF Security, but they didn't tell you!

10 things you really wished you had known about PDF Security, but they didn't tell you! Is the PDF security software you are looking to purchase really secure? If the PDF security software you are evaluating can be simply broken then you might as well save your money.
What PDF security vendors are not telling you about their products and solutions, and what questions you should be asking.
Think carefully about the tool that is used to render your PDF to the screen. Are there published cracks for it, or is the implementation insecure? All PDF password protected documents can have their passwords removed by PDF password recovery software. Once the password has been removed the user can do what they like with the PDF document. Password removal or 'recovery' programs are freely available on the Internet and cost as little as $10 to purchase.
If you type in "PDF password remover" in Google it returns 825,000 results. Top of the list is http://www.a-pdf.com/security/restrictions_remover.htm which charges $9.99 and offers to remove the password and restrictions in a few seconds.
Go and check that password recovery expert companies like Elcomsoft don't list the program you are rendering in their 'password recovery' list. Basically it means that they have found a way in, and for a small fee, so can anyone else. So if you are protecting a $6k bucks file and the crack costs $50 then you figure it out for yourself.
Don't be fooled by companies that have been around for a while or are affiliated with big names. Dimitry Sklyarov, a cryptanalyst from Elcomsoft says: "FileOpen was chosen as an Adobe 'security partner', which leads me to wonder how closely Adobe examines the cryptography used by its partners. The code can be broken instantly. FileOpen software, puts key information in the encrypted document, which is sort of like leaving your car with the keys in the ignition. Surprisingly, many of it's users seem to be scientific and technical journals." "The $197 Ebook Pro e-book protection software is advertised as 100% burglarproof and claims a list of Fortune 500 companies as its customers. The software "encrypts" e-books by mixing each byte of the text with a constant byte. This is a technique so weak that it probably shouldn't even be called cryptography." The latest information on poor PDF security implementations and PDF flaws can be found here.
© LockLizard Ltd 2009 10 things you had wished you had known about PDF Security Page 1 of 8
Does your PDF security supplier have a background in content security or are you purchasing from a one man band or affiliate scheme? A lot of companies out there claim their products are secure yet use weak encryption or don't publish their security mechanisms. The majority have no data or content security experience. A lot of ebook 'security' software on the market is affiliate software that is re-branded for different organizations to sell as their own. If the company you are considering does not demonstrate any security credentials, then ask yourself whether you can really be certain that your content will be kept secure - you might want to look elsewhere.
Be careful about arguments that plug-ins are a lot safer than executable programs. Because a plug-in inherits all the power and authority of the program it is loaded into, then you have to be just as confident about the provenance of the plug-in as you do about an executable. But your testing could be a whole lot harder because you can't evaluate a plug-in unless you load it into its host program and then you don't know if you are observing the actions of the plug-in or the host. Make sure that people absolutely cannot load their own plug-ins into the master program. Because if they can, then they can get around the security that is being applied. Plug-ins run on the honor system. But, unfortunately, it seems that whilst people love honor, they love money more. Plug-ins are exe files that need Windows administration rights to install. There are therefore no benefits of using plug-ins against standalone viewers - only disadvantages. Plug-ins can also conflict with each other. There is no verification system in the host program that sorts out conflicts and reports lack of interoperability. Even Microsoft Windows does a better job of identifying ahead of time when systems simply won't 'plug and play' than the plug-in system. ... [download for more]