![]() ![]() See this blog post for a description of that step. This is actually a simplified description of the cloudflare approach - Cloudflare have an additional step to handle Unicode codepoints (which can be multiple bytes long). And on top of that, the key for the encryption is stored right along-side the cipher text! Again, this is not secure encryption it is simply obfuscation. The XOR scheme used is one of the most basic encryption schemes possible. Repeat until all characters are consumed.Convert the result ( 101) to its UTF-16 equivalent ( e).Perform a bitwise XOR of the number with the key.Convert the pair to its hex equivalent ( 192).For each pair of characters (the first pair is c0): Iterate through the remainder of the characters, incrementing by two.This is the key for the rest of the calculation. Remove the first 2 characters ( a5), and convert to its hex equivalent value ( 165).The overall strategy to decoding this is as follows: In the previous example, that was: a5c0ddc4c8d5c9c0e5c0ddc4c8d5c9c08bcad7c2 ![]() The email is encoded into the # portion of the modified attribute, i.e. I'll start with the decoding strategy - how do you retrieve the email address from the encoded version shown previously? That's all that's required for our intended goal, but it's important to keep in mind. So, how does the email address "encryption" work? Decoding an obfuscated email addressįirst of all, while technically encryption, the scheme is so weak, you really shouldn't think of it as that. This post is very much based on that one. Luckily, it's pretty trivial to achieve, as I found from reading this excellent post. When I moved my blog from Cloudflare to Netlify, I didn't want to lose that email obfuscation, so I looked at how I could implement it myself. To avoid causing problems, there are a bunch of places that Cloudflare won't obfuscate email addresses. ![]() The advantage of this is that bots need to execute the JavaScript on your page in order to retrieve your email address, which raises the barrier (slightly) for bots trying to scrape the email address from your app. When the page is served, the script is executed, and the tag is replaced with the original. It will modify this element inline, and inject a script element: Contact me If cloudflare detects an email address in an tag, for example: Contact me This has multiple parts to it, but the one I was most interested in was email obfuscation.Ĭloudflare's email obfuscation works by modifying the HTML output of your app when they serve it. One of the features of Cloudflare is Scrape Shield. At the same time, I also removed the Cloudflare caching layer, as Netlify uses its own layer of caching. Some time ago I moved my blog from a self-hosted instance of Ghost to Netlify. Somewhat surprisingly perhaps, I don't get a huge amount of spam because of it. I've personally only ever had pleasant emails from people (though I'm well aware that's a rarity for many people in our industry). I include my email address on the about page of my blog in case people want to get in touch. It's obfuscation, not encryption! Background - Cloudflare Scrape Shield It's only meant to provide rudimentary protection against automated scraping by bots. It's important to note that the encoding scheme used here is incredibly weak. It uses a similar approach as Cloudflare Scrape Shield. In this post I show a simple way to obfuscate email addresses to make it harder for bots to scrape them from your site. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |