Manage Learn to apply best practices and optimize your operations.

Are encrypted Microsoft Word files safer in transit than PDF files?

In this expert Q&A, Michael Cobb demonstrates how a misconfigured firewall makes it easy for some Microsft Word and PDF files to be sniffed in transit.

When sent from a vulnerable client to an HTTPS Web site and then on to another vulnerable client, are Microsoft Word files less safe in Internet transit than PDF files? (I do not assume that any kind of file is completely safe.)
The scenario you outline is relatively unsafe to begin with, which you seem to realize. People tend to forget that the protection offered by HTTPS, which adds an authentication and encryption layer to regular HTTP, is limited by the endpoints of the session. The server presents a certificate to the client, but the client does not need to present a certificate to the server. In other words, the identification of the client is quite easily spoofed. This may be what you meant by "vulnerable client."

Alternatively, you may be referring to the fact that the client is in an insecure location (like a coffee shop) or has a less-than-responsible operator. Consider Bob, the Acme Widget salesperson, meeting with Alice, a client, in Ted's Internet Café. Bob writes up a quote in Word and uses a special HTTPS page on the Acme Widget Web site to upload it for approval. The quote is approved, and Alice uses her machine to download the approved document from a different HTTPS page on the Web site. Ask yourself what level of integrity the document has, and how difficult it would be for a malicious user, possibly a competitor, to discern the contents of the document (which are assumed to contain proprietary pricing and specification data).

It should be clear that the answer is "not very." The document has little integrity, and it would not be hard to find out what is in it. Ted offers free Wi-Fi, but no encryption. The document can be sniffed in transit or even read from Bob's hard drive if he does not have a properly configured firewall on his laptop. Similar weaknesses exist between the server and Alice's hard drive. Even if we make Bob and Alice conduct their business in their respective offices, using PCs on their company networks, the document is open to unauthorized access and alteration if the clients are not well-protected and properly authenticated. If a dispute were to arise over the terms enshrined in the document, with one party claiming a different version of the doc was the original, it might be quite difficult to find an expert who, given the above circumstances, would testify as to which version was, in fact, the original.

As you probably know, you can encrypt documents with both Microsoft Word and Adobe Acrobat. Using either one of these can make the document somewhat safer in transit and at rest. Asking which of these products offers the best encryption, however, is a complex question. Earlier versions of both Word and Acrobat used relatively weak encryption for which decryption applications are widely available. Later versions are stronger, but still susceptible to brute force attack. That said, there are several security benefits in converting a sensitive Word doc into a password-protected PDF, one of which is the removal of potentially harmful or revealing metadata and hidden data, such as deleted text that is merely hidden, not truly deleted. Acrobat also offers a variety of features for document signing and control.

Of course, you can go further and use additional security applications, such as file encryption, independent of either Word or Acrobat. Many such encryption products are available, and all use the powerful Blowfish algorithm.

More information:

This was last published in February 2008

Dig Deeper on Disk and file encryption tools