You can embed arbitrary javascript in PDFs, so what about including “phone-home” text-boxes for marginalia
I don’t know how the security model works in various PDF readers, but wouldn’t the javascript code be sandboxed, hopefully? Sane security practices shouldn’t allow arbitrary code in PDFs to talk to random ’net addresses...
If the PDF is signed by a certificate the user has manually installed, it can embed what Adobe calls “high privilege” javascript, which includes the ability to launch any URL. That’s an extra step, which would discourage some users, but on the plus side it addresses the “who’s given informed consent?” problem.
Momentarily donning a slightly darker hat: it is also possible for a PDF to launch an arbitrary executable (see pp. 30-34 of Julia Wolf’s OMG WTF PDF, video). AIUI this requires no additional privileges.
...a certificate the user has manually installed …an extra step, which would discourage some users
My estimate for the value of that “some” is 95%+
Not to mention that most of the people who can be easily persuaded to manually install a cert on their PC probably already have a dozen toolbars in their browser… :-D
I don’t know how the security model works in various PDF readers, but wouldn’t the javascript code be sandboxed, hopefully? Sane security practices shouldn’t allow arbitrary code in PDFs to talk to random ’net addresses...
If the PDF is signed by a certificate the user has manually installed, it can embed what Adobe calls “high privilege” javascript, which includes the ability to launch any URL. That’s an extra step, which would discourage some users, but on the plus side it addresses the “who’s given informed consent?” problem.
Momentarily donning a slightly darker hat: it is also possible for a PDF to launch an arbitrary executable (see pp. 30-34 of Julia Wolf’s OMG WTF PDF, video). AIUI this requires no additional privileges.
My estimate for the value of that “some” is 95%+
Not to mention that most of the people who can be easily persuaded to manually install a cert on their PC probably already have a dozen toolbars in their browser… :-D