8

Similar to the recent question about why we lock our computer, many people send documents as PDF file instead of a doc or html page because it would protect editing the document. And yes, it does add some value because you're making it less easy to do, but it's still easily doable. There are thousands of resources describing how you can edit a PDF, and even official documentation on the PDF format.

So why does everyone, including tech people, think PDF is a much better format to use?

Edit: Thanks for the answers. The weird thing is that people always bring "you can't edit it" as first argument, even at school, and I'm doing application development so it's not like the people there are computer illiterate.

Layout preservation is no issue in my case because we know the teachers use Office 2007 or 2010 on Windows 7, just like us. Still, most people hand documents in as PDFs, and then (when asking) arguing it's so that they can't tamper with what you handed in...

Luc
  • 32,378
  • 8
  • 75
  • 137
  • As long as you're not opening it with Adobe PDF Reader or Acrobat, then maybe. – Polynomial Nov 14 '12 at 13:04
  • 4
    The main reason why pdf is preferred isn't security or readonly-ness. It's that you don't need MS Word, and they render the same across platforms. – CodesInChaos Nov 14 '12 at 13:19
  • @Polynomial well, the first thing I do is turn of javascript support for Adobe Reader. And doesn't html (javascript) and docx (macros) have exactly the same issues there? Not to mention Adobe Reader X and later are using a variant on the pretty good Google Chrome sandbox (though no such sandbox is perfect)? – ewanm89 Nov 14 '12 at 13:42
  • 7
    [I'm](http://krebsonsecurity.com/2012/11/experts-warn-of-zero-day-exploit-for-adobe-reader/) [sure](http://www.adobe.com/support/security/advisories/apsa11-04.html) [you'll](http://www.adobe.com/support/security/bulletins/apsb11-03.html) [be](http://www.adobe.com/support/security/bulletins/apsb11-24.html) [perfectly](http://www.adobe.com/support/security/bulletins/apsb11-21.html) [safe](http://www.adobe.com/support/security/bulletins/apsb12-16.html). – Polynomial Nov 14 '12 at 13:46
  • 1
    Since the answer to this isn't really security related, it might be a good candidate to moving someplace like Superuser or maybe even Graphic Design. – AJ Henderson Nov 14 '12 at 13:51
  • @Polynomial [And](http://technet.microsoft.com/en-us/security/bulletin/MS12-076) [MS](http://technet.microsoft.com/en-us/security/bulletin/MS12-076) [Office](http://technet.microsoft.com/en-us/security/bulletin/MS12-060) [is](http://technet.microsoft.com/en-us/security/bulletin/MS12-060) [so](http://technet.microsoft.com/en-us/security/bulletin/MS12-046) [much](http://technet.microsoft.com/en-us/security/bulletin/MS12-034) [better](http://technet.microsoft.com/en-us/security/bulletin/MS12-030.) Seriously, my personal choice is neither. But my parents expect Adobe Reader and MS Office. – ewanm89 Nov 14 '12 at 14:28
  • @CodesInChaos You're saying you don't need software to view PDF files? – Luc Nov 14 '12 at 14:44
  • @Luc no he is saying that the software is available across multiple platforms and renders it exactly the same. – ewanm89 Nov 14 '12 at 15:03
  • @ewanm89 I didn't say Office was better, but there are plenty of alternative PDF viewers out there, including some cross platform and open source ones with a much better security track record. – Polynomial Nov 14 '12 at 15:14
  • @Polynomial Yeah, I use them. – ewanm89 Nov 14 '12 at 15:47

5 Answers5

9

The reason PDFs are preferred isn't security so much as a combination of technical capability and user expectation. The security of PDF and Word read only modes is about the same (which is to say, not very good, but good enough to prevent casual use.) Both files require a viewer on the other side, and there is both a Word and PDF viewer app for free, while the tools to make both generally cost money, though some services will do either for free.

User expectation however is generally that a Word document is something they edit. They feel like they are being blocked from doing something when they work with one that is protected and this can lead to a negative user experience.

The other factor is that Word is not a format that gives much control over the way the document flows. You can make an OK layout in Word, but a variety of factors can end up impacting how it is rendered. This is a simple side effect of the fact that Word is a word processor, designed for typing, not layout. PDF on the other hand was designed specifically as a print production and document reproduction format. It's sole purpose in life is to ensure a consistent viewing experience and printing experience regardless of the hardware it is displayed on or printed with. This is the primary reason why people, especially document generation professionals prefer PDF as a distribution format.

AJ Henderson
  • 41,896
  • 5
  • 63
  • 110
  • The key reason I send anyone PDF is because of layout preservation. Especially through college, I ended up doing a lot of my document and presentations via OSX and would have to export to PDF to ensure format stayed the way I wanted it. Trying to convert to Microsoft's file types always messed things up - which is horrible when you have a presentation in 10 minutes. – Anthony Nov 14 '12 at 16:13
  • @Anthony Yeah, I agree that the primary reason is control of layout. That's why PostScript was invented and why the PDF format was created as an extension of PostScript for document exchange instead of just printing, though now you can use either format for either purpose, however PDF tends to be more capable and more usable by content consumers. Still see EPS (encapsulated post script) a lot in professional graphics design and layout circles though since it is a slimmer format. – AJ Henderson Nov 14 '12 at 16:47
6

PDF's can be locked to prevent editing. Docx can be protected. html - not so much.

Sure, there are ways of getting round even the best copy protection, up to and including taking screenshots or even dictating the comment, but protecting PDF's pretty much works. At least in a business environment.

I don't think that is why tech people think pdf is better.

I think it is better because it can render correctly at any size on pretty much any device. The same can not be said for docx or even html in many cases.

Rory Alsop
  • 61,474
  • 12
  • 117
  • 321
  • See my commend on AJ's answer (http://security.stackexchange.com/questions/23977/using-pdf-instead-of-docx-or-html-safer#comment38904_23979). Layout is key and PDF gives that to me. – Anthony Nov 14 '12 at 16:14
2

PDF are much more portable than Doc(x) and HTML; at least, fonts usually come out the right size, contrary to what happens when trying to open a Word document in LibreOffice or another Word version or the supposedly same Word version but on another computer with a different OS version or distinct set of installed fonts. The same applies to HTML and the whole jungle of browsers. You can have interoperability issues with PDF, but they are rarer.

The "PDF is read-only" feature is only a deterrent for non-tech-savvy people -- and it works, because there are a lot of such non-tech-savvy people out there, and you have to work with them at some point. It would not do any good to base your security on it, but it will save you time and trouble nonetheless.

There are exploitable holes in many PDF renderers; PDF is not immune to such issues, especially since it can be scripted. My impression is that such issues are right now less common than the equivalent in plain Word formats. So using PDF might be a good idea for now to decrease the rate of successful attacks.

Thomas Pornin
  • 322,884
  • 58
  • 787
  • 955
  • I would argue the reverse in the last paragraph. PDF exploits are extremely common because many browsers will open a document as a PDF without request from the user; whereas opening a word document typically requires opening the document in a separate application and users are slightly more wary of such things. – Billy ONeal Dec 03 '12 at 03:21
1

It depends what you mean by "safer".

With PDF you are be guaranteed that it will display more or less the same on any device regardless of screen resolution, viewer/editor used, etc. Also, users expect to open it with a viewer program rather than an editor, thus setting a certain expectation. So it is arguably the "safer" format in terms of presentation.

Word is just as safe if you are sure all of your recipients have a recent version of Office (or if you are all using the same Office alternative), and is a better choice for collaboration since anyone can edit the document directly and send you their changes.

One nice aspect of HTML is that it is a plain text format. It is easy for the recipient to edit the file by hand with any program of their choice to verify that it does not contain any JavaScript, suspicious links, or other questionable content. So it may be a safer format in that regard, but obviously it is trivial to change the contents of the file.

Whether a document is in the safest format depends on that document and what you are trying to accomplish. In the end a user is probably more likely consider information trustworthy if it comes from a reputable source, rather than if it arrives in one of these formats or another.

Justin Ethier
  • 1,968
  • 3
  • 15
  • 20
0

I know that I am too late for the party, but in my opinion the reason to prefer pdf instead of .doc(x) is not in security or protection from editing, but rather in knowing that everyone will be open to open your document and see it in the same way you wanted them to see it.

For instance if you have your latest version of office installed and send the document to the person, who is using older version of office without the support of docx, the person most probably would not be able to open it. For non technical user it is hard to tell what does it mean to save in doc format. He looks at the icon, it looks like word icon, so it is doc. On another way, the person using linux and having open office can not be sure that the doc document he is about to open will look completely the same as the person who used office.

And because on any operating system there is a nice support of pdf reader and any office software has an easy option to convert to pdf, which will look the same way, it can be a reasonable way to exchange documents for reading purpose.

Salvador Dali
  • 1,745
  • 1
  • 19
  • 32