Didier Stevens

Monday 13 May 2013

Adobe Reader and CRLs

Filed under: Encryption,PDF — Didier Stevens @ 18:08

There’s something that I wanted to test out for quite some time, but kept postponing until recently. Adobe Reader will ask confirmation before it retrieves a URL when a PDF document contains an action to do so. But what about the Certificate Revocation List in a signed PDF document?

When you open a signed PDF document with Adobe Reader, the signature gets checked automatically. If the signature is not OK, for example because it doesn’t chain up to a trusted root CA, revocations checks are not performed. In other words, the CRL is not downloaded:

20130426-141512

But when I change the settings so that my root CA is trusted, the signature is considered valid and the CRL is retrieved. No warning is given to the user, it happens automatically and silently. Here is the log entry on my server:

192.168.1.1 – – [26/Apr/2013:11:33:35 -0400] “GET /root.crl HTTP/1.1” 200 709 “-” “PPKHandler”

PPKHandler is the User Agent String.

20130426-173447

20130426-173632

The CRL file can’t be an empty file, and must be signed by the root CA, otherwise the signature is considered invalid.

So when you open a signed PDF document with Adobe Reader, the signature is automatically checked and the CRL is silently downloaded. This is done with a request to the webserver of the commercial CA which issued the certificate (crl.adobe.com, crl.geotrust.com, …). You can change automatic checking with Preferences / Signatures / Verification.

A quick check with Foxit Reader reveals it doesn’t check the signature automatically.

6 Comments »

  1. Thanks for testing this. I think this behavior makes sense. If you trust a root CA, you also trust their CRLs not to return anything funky. A confirmation pop-up would get in the way and decrease security (if the user cancels the action).

    Comment by Richard — Tuesday 14 May 2013 @ 7:59

  2. @Richard I’m not saying it doesn’t make sense and that you should worry about this. But sometimes people ask me if Adobe Reader makes silent connections (excluding Adobe servers). Now I can explain them when it does.

    Comment by Didier Stevens — Tuesday 14 May 2013 @ 8:47

  3. Do you know if the adobe products are proxy aware for the lookups? and if it uses the context of the current user, or (on a windows box) the computer account via the winhttp proxy settings?

    Comment by altonius — Tuesday 14 May 2013 @ 17:34

  4. @altonius Yes, Adobe Reader supports proxies. But I never had to figure out which settings it takes.

    Comment by Didier Stevens — Tuesday 14 May 2013 @ 19:07

  5. Does this method work from a browser with Adobe Reader plugin?

    Comment by Alex — Sunday 19 May 2013 @ 12:38

  6. @Alex You mean that the CRL is retrieved? Yes.

    Comment by Didier Stevens — Tuesday 21 May 2013 @ 6:19


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.