3

I recently received a PDF file that, when attached to a gmail message, causes a warning to be displayed as follows:

Encrypted attachment warning – Be careful with this attachment. This message contains 1 encrypted attachment that can't be scanned for malicious content. Avoid downloading it unless you know the sender and are confident that this email is legitimate.

However, I am able to open the file without getting prompted for a password. I followed the advice given in this security stack exchange question and used the pdfid.py program whereupon I got the below output:

$ pdfid.py ~/Downloads/filename.pdf
PDFiD 0.2.7 /home/username/Downloads/filename.pdf
PDF Header: %PDF-1.6
obj                  402  
endobj               402 
stream               401  
endstream            401
xref                   0
trailer                0
startxref              1
/Page                  0
/Encrypt               1
/ObjStm               15
/JS                    0
/JavaScript            0
/AA                    0
/OpenAction            1
/AcroForm              1
/JBIG2Decode           0
/RichMedia             0
/Launch                0
/EmbeddedFile          0
/XFA                   0
/Colors > 2^24         0

It would seem to me that since this file contains no JavaScript it is safe to open and handle. But I am puzzled by the encrypted message that Gmail displays. I guess it is related to the /Encrypt flag that's set on the above output.

Why is Gmail telling me that the file is encrypted even though I can open it without being prompted for a password and would that, on its own, be reason for concern?

Anders
  • 65,052
  • 24
  • 180
  • 218
  • 1
    Seems like a legitimate warning. If an attachment can't be scanned (e.g. if it is encrypted) then gmail can't be sure it is safe. What confuses me is how you were able to open it without a password - could be encrypted with a blank password, though you might be prompted anyway? – Pedro Jul 01 '20 at 10:12
  • Only gmail knows... – Martin Schröder Jul 01 '20 at 10:17

3 Answers3

1

The contents of the PDF are indeed encrypted. This happens when the creator of the PDF turns on security settings. So for example, the creator could allow you to view the PDF but not change or print it. If you view the PDF in Acrobat reader, it will show you that the PDF is SECURED, and what permissions have been set.

If you simply view the PDF file with a text editor, you will see that the contents are encrypted.

Gary
  • 11
  • 1
1

The PDF document is encrypted, but the user password is blank. If you look at the PDF ISO Spec (PDF 32000-1:2008 Section 7.6.3.1)

"If a user attempts to open an encrypted document that has a user password, the conforming reader shall first try to authenticate the document using [the equivalent of a blank password.] ... If this authentication attempt is successful, the conforming reader may open, decrypt, and display the document on the screen."

The reason for this is PDF encryption gives you more than confidentiality. Encrypted documents can also set permissions that conforming readers (like Acrobat Reader) honor to limit printing, copying to the clipboard, and etc.

0

Of course Google will warn about encrypted content, especially if it is not encrypted by themselves, hence they cannot decrypt the file. The warning comes only because they are not able to see the file's contents, not because there is something wrong with it. At all times they will prefer having control of all the variables: holding your password, the encryption keys and so on.

Now, this doesn't add up:

However, I am able to open the file without getting prompted for a password.

What is expected for decryption is a key (not a password), but still, you need something. If you can see the contents without the key, it is not encrypted, maybe coded but not encrypted.

As always, you should use good sense to decide about this attachment:

  • where it came from?
  • do you know who the source of the file is?
  • did you asked for it?
ram0nvaldez
  • 204
  • 1
  • 2
  • 9