The ‘twist’ you describe “ZIP and include AxCrypt” sounds like a reasonable compromise although may I suggest the option be called something like “ZIP and include AxCrypt portable decryption software” as it’s a little more explanatory. You may wish to consider automatically adding a README file to the archive with step-by-step instructions for novice users.
Ideally I’d like to be offered the option of making a self-extractable archive. If necessary you could recommend that users consider not selecting the option by warning them of the issues but at least it would be there for those who need/like it.
The other issue I really don’t like with the software, including your portable version, is that upon initial launch it says:
“The first time you start AxCrypt a real email address is required. Click help for more information”
<span style=”text-decoration: underline;”>You are interrupting a recipients workflow and you’re also demanding they provide information to a company (AxCrypt) they don’t know.</span> They may not trust AxCrypt or they may be in an offline scenario or their corporate firewalls might block emails from the AxCrypt domain. Insisting they provide that information as a pre-requisite to decrypting their file/s is really bad.
One final comment – I notice on your webpage you give the following instructions:
“Verify that the download is undamaged and authentic by checking the digital signature. Right-click the downloaded file in Windows Explorer, and select ‘Properties’ and the ‘Digital Signatures’ tab. Then select the digital signature and click ‘Details’. Ensure that the digital signature is shown as ‘OK’ and that the signer is ‘AxCrypt AB’.”
It’d be really good if you could include the AxCrypt AB certificate thumbprint and issuer (Comodo) on your website so that advanced users can verify the certificate for higher assurance. Could you confirm if this is the correct thumbprint?
6c 81 9d 4a 25 9f 21 fa 61 ca 35 50 a3 4d dd 79 16 72 4d db
For bonus points it’d be perfect if you included the MD5, SHA1, SHA256, SHA512 sums of the software on your website. Some people use these to confirm the software hasn’t been tampered with and many antivirus software packages also check the has sum against their internal databases. Sometimes, when it’s not recognised (perhaps because it hasn’t been added yet), the antivirus returns a warning; especially in default deny configurations. If a user was able to check the hash sum against the official AxCrypt website it’d give them a little more confidence.
One final comment – I notice AxCrypt don’t have an SSL certificate on the main website (I know the ‘Sign In’ page does). For a security-related website this is essential in my opinion. Also, Google and other search engines downgrade your ranking if you don’t have one. You can get them for very little money and Let’s Encrypt even do them for free. Remember even on this discussion forum you’re asking people to submit their email address (albeit optionally) over an insecure page!
Thank you for taking the time to respond to my other posts.