Schneier on Security

tfb • September 19, 2021 4:41 AM

PDF

Suggesting that the problem is PDF and that we need a better replacement sounds like a good idea … until you realise what would be involved. PDF sits at the heart of every process which produces technical text which might end up on paper, almost any text which has significant mathematical content, and probably close to the heart of any process which produces any text which might end up on paper: I would expect that PDF files are somewhere in the toolchain for almost any paper book. Approximately all mathematical scientists use TeX and probably the vast majority of them are now using a PDF-producing TeX like pdfTeX or something similar. And this is a huge boon, especially if you have diagrams &c: I can remember DVI-based TeX and the endless nightmare of having to know which DVI-to-PS converter you were going to use.

Any suggested replacement for PDF would need to be able to render (after conversion, perhaps) all the existing PDF files which are the last 30 years or so of scientific papers, and all the PDF files from which books have been printed over the same period, all the standards documents for which the PDF file is the normative version and so on. And it needs to do this in an essentially bit-reproducible way. (You think scientists and authors do careful version-control of their papers including the toolchain that turned them into PDF? Yeah, right.)

And some hypothetical PDF replacement needs to be able to do a very large fraction of what PDF can do, because people need a lot of that stuff. I don’t know much about its outer reaches but I’m willing to bet that many of them have good uses.

So any PDF replacement is necessarily going to be a rich, complex specification for which which people are going to have to write interpreters, and which will also need to be targeted by PDF converters. Well, it turns out we have a rich, complex, open specification which people write interpreters for. That specification is here: its name is … PDF.

So this, in fact, tells you what the real problems are here.

Firstly there are parts of the PDF specification which are, still, proprietary and hence not really specified. Those need to be either excised, or standardised so they can be open to scrutiny. In most cases they’re already effectively excised since only Adobe’s PDF system implements them.

Secondly there are parts of the specification which just need not to be there. One notable one is that you can embed javaScript in it, which is about as sensible as embedding JavaScript in, say, a process which controls privileged access to Linux … oh, wait, sorry, no, as sensible as something else, because that’s obviously a sensible thing. And I think how this JS embedding happens is alsoone of the proprietary parts of the spec, which makes it doubly mad. The rest of the spec probably also needs to be gone over to look for things which are inherently dangerous.

Probably the end result of dealing with these two issues is that there should be a way of saying what ‘standard, (hopefully) safe’ bit of PDF is and some standard way of a bit of PDF saying it needs extensions. Perhaps that already exists: I don’t know.

So the improved, safer, more standard, replacement for PDF is, of course, going to be PDF.

But, thirdly, there’s the big problem. PDF – and any future PDF or replacement for it – is not some proprietary blob of code written by Adobe, or anyone else: it’s a standard format which many people write blobs of code to interpret. The thing that renders PDF files in Firefox probably has no code in common with Acrobat, and Acrobat probably has no code in common with whatever native PDF renderer exists on iOS, and that in turn probably has no code in common with whatever renders them in GoodReader or … pick any number of PDF renderers. And all of those blobs of code have to interpret a necessarily complex specification. And humans do not have a history of doing that either safely or correctly. And a new specification is not going to change that.

That’s the real problem here.

Notes. There’s no excuse for the ISO standard not being freely available, but that’s a different fight. I’m also not saying that it does not need attention: it probably does, it’s just that the approach is not to do a clean-slate specification.