Microsoft Edge's internal PDF Viewer can not open PDF encrypted width 256bit AES(level8).

Issue #7656659 • Assigned to Manoj B.

Details

Created
May 23, 2016
Privacy
This issue is public.
Found in
  • Microsoft Edge
Reports
Reported by 4 people

Sign in to watch or report this issue.

Steps to reproduce

Microsoft Edge can not open this PDF:
http://www.broadband-xp.com/test/edge/level8.pdf
which is encrypted with 1.7 Adobe Extension Level 8 (256bit).

On the other hand Microsoft Edge can open the following PDF:
http://www.broadband-xp.com/test/edge/level3.pdf
which is encrypted with 1.7 Adobe Extension Level 3 (256bit).

Please enhance the internal PDF Viewer so that it can open PDFs with the highest encryption.

Thank you in advance.

Attachments

0 attachments

    Comments and activity

    • Microsoft Edge Team

      Changed Assigned To to “Christian F.”

      Changed Assigned To to “Amit K.”

      Changed Assigned To from “Amit K.” to “Manoj B.”

      Changed Status to “Won’t fix”

    • This is a known issue. As of now, however, Adobe has not released the Extension Level 8 of the specification.
      http://www.adobe.com/devnet/pdf/pdf_reference.html only provides references up to Extension Level 5 which does support an older variant of the AES encryption.

      The specifications for this PDF version have not been released by Adobe, but are yet implemented in Adobe Reader X. This undocumented version makes use of a new password validation algorithm when opening encrypted documents.

      Apparently the Extension Level 8
       is an intermediate PDF version to prepare for the future arrival of the new ISO specifications (32000-2, aka
       PDF 2.0). Those are still in development, and the current drafts seem to be only available for the members of the ISO committee.

      (From: http://esec-lab.sogeti.com/posts/2011/09/14/the-undocumented-password-validation-algorithm-of-adobe-reader-x.html)

      Undocumented specs like these are subject to change. Please consider this while making any investment in this direction.

      All the best,
      The MS Edge Team

    • So, Edge works like this: A user clicks a link to download a PDF document. Instead of downloading the document for them, the browser tries to open (and in this case, decrypt) and render it itself instead. When this fails the browser simply displays a message saying that it can’t be opened and does not provide the user with a means to actually download it - thus preventing the user from accessing the document at all. This turns out to be a PDF document that would be opened by any up-to-date PDF viewer that the user had installed on their computer - including Adobe’s own and including the in-browser renderers of other major browsers such as Firefox and Chrome, and whether on Linux, Windows or Android etc. . Why don’t you let the user be the judge of whether it can be opened and whether they should be able to download a copy of it?

      Microsoft, in case you’d forgotten, Web browsers are for rendering HTML documents. If a user clicks a simple link as above to anything that isn’t an HTML document, then try the following: If the server has indicated that it should be displayed inline, try that. If the browser can’t do that, allow the user to download it. If the server indicates it should be downloaded (as an attachment), download it for them. If the server hasn’t specified either way, program some common sense into your browser. By all means let the browser try to render it, but if it can’t do that, download it for the user or at least make sure that it is very easily downloadable. If the download has a mime-type of application, like application/pdf, this is a strong hint that the browser probably ought to be downloading it for them anyway.

      This should be re-opened as a bug. User can’t access a document via a valid link to that document.

    • The mentioned PDF 2.0 specification is publicly published as ISO 32000-2:2017. https://www.iso.org/standard/63534.html

    • This issue affects our company website.

      Users of all browsers except Edge can download and/or view our PDF our files. We will have to start putting up - ‘Please use any browser other than Edge to download this file’ messages(!) or start sending “Content-Disposition: attachment” for PDF files when we encounter an Edge User-Agent header. The latter approach will force Edge to download PDFs for users so that they can still view them in any PDF viewer they have installed on their computer. Users of other browser can still view them in the web-browser or download them if they choose to do so.

      This issue ought to be re-reviewed and have its status changed, especially since the security features that Edge doesn’t support are now described in a published PDF specification, as noted by Kagami R; and users ought to be able to download valid PDFs regardless or whether the browser itself is able to render them.

    • Microsoft Edge Team

      Changed Assigned To to “James M.”

      Changed Status from “Won’t fix”

      Changed Assigned To to “Manoj B.”

    You need to sign in to your Microsoft account to add a comment.

    Sign in