I was hard rejected “Thank you for your submission. We have completed our review of “Encrypt and Decrypt Text” and unfortunately we found it isn’t at the quality standard required to move forward, and you won’t be able to re-submit this item again.”
As other have stated, no one really knows why even if you read all the links they give you in your reject email. I am, however, asking on here for feedback.
It was made with F3 version 3.8 and works with PHP 8.* up to 8.2 with no problems. Just upload and use. No database.
I made it because I needed something like it to send some info when I was out of the country. I called it "nunya"ware since the info is nunya business. I know that does not matter, but someone might wonder.
Thanks for the feedback. I agree with your statements.
My “target” market was not really to coders, but to end users with a website possible looking for the functionality that wanted to self host and know the info was not being saved someplace, etc. without their knowledge.
While I appreciate what you were going for with this product, I disagree with it completely.
First, this should not be implemented with PHP. The encryption should be done locally with JS. You express concern about the plaintext message being stored, but here, you’re sending it off to who knows where and kindly exposing it for interception.
Second, the user should not be forced to provide a password, it will almost certainly be weak. The tool should be capable of generating its own secure key unless the user opts to provide their own, although I’m entirely against user-provided passwords for a product like this.
Third, the user should not have to copy/paste the ciphertext and password separately. Actually, they shouldn’t have to copy/paste either. You can generate a single link that contains both. When visiting the link, the ciphertext is automatically decrypted, locally in the browser. That’s good UX.
Fourth, encryption is hard to get right. How does a buyer know your implementation is secure? Is your implementation vulnerable to brute force attacks? Are you using something like PBKDF2 or Argon2 to secure the password? Your server responds in 300 ms, for a server’s CPU, that is probably very weak.
With all that said, you won’t get approved even with these improvements. The script is far too simple, and I can’t imagine that any amount of work on it would see it getting approved.
Go to the site.
Select encrypt
Inter a passcode
Enter some text
Click encrypt
Scroll to the bottom and you will see the encrypted text and a reminder of the passcode.
Copy to clipboard.
Go do decrypt
Inter the passcode
Paste the encrypted text
click decrypt
Scroll to the bottom
