1

A recent requirement been received to automatically email Excel documents to customers. The customer would then amend the Excel file and send it back.

The current options are to password protect the excel document using unique customer data as the password (example: ID number) or to embed the Excel document into a PDF file and then password protect the PDF file using the same password.

With the above in mind, which would be easiest to send via email (less chance of errors during sending from server and receiving at the customer email address) and offer the best security?

Office 2012 or greater would be used.

schroeder
  • 129,372
  • 55
  • 299
  • 340
TheBritishTwit
  • 11
  • 1
  • Can you edit an 'embedded' Excel file in a PDF? – schroeder May 04 '17 at 06:53
  • We can't really speculate which would be 'easier' (and it's not a security question). What do you want to secure against? Both Excel and PDF file passwords can be cracked with the right tool. – schroeder May 04 '17 at 06:55
  • The requirements are unclear. Why not use encrypted mail, encrypted ZIP file, upload the XLS to some site which requires authorization and mail the link etc. There are many ways to protect data which differ in usability, security, needed environment ... - impossible to tell what is best for you based on the few information. – Steffen Ullrich May 04 '17 at 09:00
  • I doubt that my PDF reader supports excel files embedded in a PDF. – CodesInChaos May 04 '17 at 11:31

1 Answers1

0

Hmmmm.

On the one hand you want to store the data inside a file format which is a known malware propagation vector and send it on a round trip to the client, or on the other hand you want to embed this file inside another file which is also a known malware vector. Leaving aside the question of whether the content will actually be editable when embedded in the PDF file, it looks to me like you have increased the attack surface.

Speaking with my programmer hat on, if I want to send and receive tabular data, then (any of the) MS Excel format(s) would be well down my list of choices for a container. In addition to the known dangers of malware, it is horrendously difficult to parse and process compared with CSV, JSON, XML.

OTOH I recognize that for most mortals, trying to edit an XML or JSON file must seem like rocket science (but CSV isn't that much of a pain considering you need them to maintain the appropriate encryption for the return trip). But if its small amounts data then why not just use an online form over HTTPS which solves the problem of how the user manages the clear text as well as the issue of proprietary file formats and the issue of malware injection.

Maybe sharing an online spreadsheet is not an ideal solution.

symcbean
  • 18,625
  • 1
  • 41
  • 75
  • Hi Everyone thanks for the comments. sorry for the delay and a bit of a rubbish description. – TheBritishTwit May 05 '17 at 08:01
  • Unfortunately the request to use Zip files has been declined by the customers involved.

    A request for a HTTPS based front end has been made however for some reason the customers seem to be leaning towards the emails method instead.

    I agree that excel and PDF are potential Malware carriers (if i can put it that way) however these documents will be sent to non-IT related companies and the chance on them knowing CSV or XML is slim, that's why using a format that most know has been selected.

     – TheBritishTwit May 05 '17 at 08:09
  • I have been able to make an encrypted PDF file which contains an excel document (stored in the PDF as an annotation), when opened the document will be opened in MS Excel as per usual. – TheBritishTwit May 05 '17 at 08:13