We ignore Cloudflare's many SSL certs. We have a short blacklist of MITM-as-a-service content delivery networks. Here's my paper on that.[1]
The list is short. Here it is:
cloudflare.com – a front-end network for sites, controlling 36,280 domains.
incapsula.com – a front-end network for sites
sonymusic.com – operates sites for their range of artists.
Janrainengage.com – customer tracking service
edgecastcdn.net – Verizon caching system
fiducia.de – security service for banks
vin65.com – wine seller with many sites for various wine brands.
practiceweb.co.uk – a hosting service for accountants
Sites which use those services are not blacklisted by Sitetruth, but the ownership data in their SSL certs is ignored as meaningless. The CA/Browser Forum is looking into ways to express this better in SSL certs. A cert with fifty unrelated businesses is just silly, and it's a transitional thing until everybody gets TLS-capable OSs and browsers so shared IP doesn't mean shared cert. (Windows XP/IE 6 being the problem).
