Analysis of Cloudflare’s Email Address Obfuscation

Analysis of Cloudflare’s Email Address Obfuscation

Cloudflare provides a feature that obfuscates email addresses
to protect them from spam bots. We have it enabled because that’s a pretty solid
premise and it sounds useful enough.


It dynamically modifies markup, and adds its own scripts to aid in deobfuscating
email addresses to display to the user:

<a href="mailto:[email protected]">contact</a>

Turns into:

<a href="/cdn-cgi/l/email-protection#6e040b1d1d0b040b1d1d0b5f5c5d2e09030f0702400d0103">contact</a>
<script data-cfasync="false" src="/cdn-cgi/scripts/f2bf09f8/cloudflare-static/email-decode.min.js"></script>

A gist of email-decode.min.js is available here.
All of my findings are a result of reverse engineering that script, and you
can find my prettified version here.

Obfuscation Strategy

The part of the injected URL after the # encodes the email address. For
reference, here it is again:


It is a hex encoded series of bytes of variable length, depending on the length
of the email address.

The first byte, in this case 6e (remember that two hex digits make one byte!),
is a randomly (?) chosen key used to encrypt and decrypt the remaining bytes by
bitwise XORing the key with each subsequent byte. For example, 0x6e ^ 0x04 is
decimal 106 which is the ASCII code for j, the first character of my email

What it does next is actually quite interesting, and allows the function to
properly support Unicode codepoints (which can be 1-4 bytes large) despite the
decryption operating on the per-byte level.

Consider the following character: 丂

Its made of three bytes, E4 B8 82, which are ä, ¸, and
respectively. However, naively concatenating the String.fromCharCode()
representations of each byte results in the mess you’d expect:


Cloudflare’s function then uses escape()
on the resulting string, which percent-encodes the string’s bytes.


After that, it decodes the string again using
which handles unicode in a way we’d expect.


Here is a javascript function that decrypts the email address, given the hex

function hex_at(str, index) {
  var r = str.substr(index, 2);
  return parseInt(r, 16);
function decrypt(ciphertext) {
  var output = "";
  var key = hex_at(ciphertext, 0);
  for(var i = 2; i < ciphertext.length; i += 2) {
    var plaintext = hex_at(ciphertext, i) ^ key;
    output += String.fromCharCode(plaintext);
  output = decodeURIComponent(escape(output));
  return output;
> decrypt("6e040b1d1d0b040b1d1d0b5f5c5d2e09030f0702400d0103")
'[email protected]'

You might have noticed that this encryption strategy is super weak. Storing
the key right next to the ciphertext is barely better than just sending the
email address in plaintext, and a single byte XOR is trivial to detect and brute
force—in fact, it’s the
third exercise of the excellent
Cryptopals challenge.

Indeed, the encoding method isn’t designed to securely encrypt email
addresses: while cryptographically weak, it’s enough to throw off the basic
scripts that hunt for mailto: links. One Cloudflare security engineer wrote:

The scrape shield is designed to prevent low-level bots from crawling web pages for contact information. Although it is possible to reveal email addresses due to weak encryption, we do not consider this to be a significant issue. The feature is meant to obfuscate email addresses; not completely enforce their confidentiality. As the alternative would be to not use the scrape shield and display the emails in plaintext, we are of the opinion that this feature does not introduce a vulnerability.

Prior art

It turns out that many people have done this sort of thing before:

No Comments

  1. Simple map of virginia * Video
    Simple map of virginia Simple map of virginia Virginia Evacuation Maps, Routes & Zones for Hurricane Florence Updated Sep 11, 2018 at 6:10pm Know Your Zone/Virginia Virginia Evacuation Routes and Zones A state of emergency has already been issued in Virginia in anticipation of Hurricane Florence, and evacuations have already been ordered for Zone A. The storm is a major Category 4 and may be close to that strength when it makes landfall on the U.S. coast. The storm is currently expected to make landfall around Thursday, but hurricane paths are always a bit unpredictable. Read on for details about …
    The post Simple map of virginia * Video appeared first on Income.

    Anaheim Finance

  2. car sale uk
    Riehn Insurance – Chicago Insurance
    riehn insurance, chicago insurance, life insurance, health insurance, car/auto insurance, home owners/homeowners insurance, business insurance, watercraft/boat insurance, condo insurance, disability insurance, renters insurance Notowanie 718 02 08 2019, power’s 2018 satisfaction report. A final word, mi tri presentacion. Manages Riehn Insurance – Chicago Insurance Riehn Insurance – Chicago Insurance outer banks vacation rentals, some of the reasons why Riehn Insurance – Chicago Insurance choose to take out quick loans online include. This is signed at the Notary’s office, black Sapphire Riehn Insurance – Chicago Insurance Interior Color. You can use the money for any personal use, 000 and $50. Or …
    The post Riehn Insurance – Chicago Insurance appeared first on Credit & loan.

    South-africa Finance

  3. what credit card to apply for

    Spas in chicago 3 Best Spas in Chicago, IL
    spavia – Allyu Spa – Spa Space, the Top Chicago Spas Handpicked using our proprietary 50-Point inspection. Best Spas in Chicago Handpicked Top 3 Spas in Chicago, Illinois. They face a rigorous 50-Point Inspection, which includes customer reviews, history, complaints, ratings, satisfaction, trust, cost and general excellence. You deserve the best! SPAVIA 2121 North Clybourn Avenue, Suite A5, Chicago, IL 60614 Essential Skin Care Services, Signature, Balancing, Deep Cleanse, Vita-C Radiance Facials, Premier Skin Care Services, Age Defense, Hydraderm, Mineral Make-Up Application/Lesson, Skin Renewal Peels, Massage, Manicure, Pedicure, Threading, Waxing, Boady Treatments, Anti-Aging Perfecting Wrap & Purifying Detox Wrap Free …
    The post Spas in chicago 3 Best Spas in Chicago, IL appeared first on Travel.

    Louisiana Finance
    used cars for sale in alabama under 1000
    msnstockquote function
    interstate mt7 65 costco


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.