Help talk:Security/PDF files
- It certainly should. I marked it for translation (I hope :) - not familiar with the translation workflow.) --Tgr (WMF) (talk) 19:55, 13 April 2015 (UTC)
Linking to a pdf file
- And over HTTP to a social networking site, even. I found  but there is no HTTPS. Nemo 10:00, 3 April 2016 (UTC)
@Tgr (WMF): "Adobe Acrobat, with its default settings, is NOT safe." Can we clarify that? What exactly is meant by "safe" here? If we're going to make such scathing statements we should at least take the time to explain them. This, that and the other (talk) 03:39, 15 August 2015 (UTC)
- The statement was meant in the context of that particular issue-- in all of my testing, opening a PDF document with Acrobat Reader (where all of the Reader options had been left as default) on Windows (I tested XP through 8, iirc) would automatically open the URL in the system's default web browser, thereby revealing the IP address of the reader to whoever owns the server where the URL points. CSteipp (WMF) (talk) 17:55, 21 September 2015 (UTC)
What makes us believe that Firefox and Chrom(e|ium) plugins are the safest PDF readers? Nemo 10:00, 3 April 2016 (UTC)
- In general, I think all this information is too vague to be useful for real users. We should directly tell people to use either Firefox or Chromium plugins or a reader from https://pdfreaders.org , and at any rate avoid proprietary readers. --Nemo 16:28, 26 June 2017 (UTC)
There are a couple reasons to expect browser-based PDF readers to be more safe:
- security is much more of a reputation issue to browser vendors than to office tool vendors so it's reasonable to assume they invest much more resources into it. Past examples of how often security breaches happen and how they are handled seem to confirm this.
- browsers are highly sophisticated sandboxes .Firefox implements PDF rendering in pure JS so even in the case of implementation errors the fallout is limited. Chrome is less safe but probably still uses the same sandboxing it generally uses for plugins.
Being opensource helps security-wise but it's not that important, IMO. The Chrome PDF viewer was in face closed-source until not so long ago. I would still have trusted it more than software written by a vendor in the desktop publishing space. --Tgr (WMF) (talk) 16:08, 4 July 2017 (UTC)