The fact that CloudFlare has "Flexible SSL" leads me to believe they don't care about security at all. I've asked them to at least post a "CF-SSL: Flexible" header or similar to responses so someone could develop a Chrome extension to alert on this behavior.
They're presenting sites over HTTPS to visitors while tunneling the full request in plain text over HTTP across the internet back to the origin server. Because of this, web browsers like Chrome will allow access to sensitive APIs like Geolocation despite the end to end communication being insecure.
If I could, I'd personally blacklist all "Flexible SSL" sites from my daily browsing.
Just revoke CF's certificate on your local machine. If they won't tell you when they're being flexible you have to assume they're always being flexible.
That has undesired effects. I have a page that uses SSL CF<->server via their certificate. The certificate for the end user is still a CF certificate. The end user has no way of finding out if the connection to origin is encrypted.
They're presenting sites over HTTPS to visitors while tunneling the full request in plain text over HTTP across the internet back to the origin server. Because of this, web browsers like Chrome will allow access to sensitive APIs like Geolocation despite the end to end communication being insecure.
If I could, I'd personally blacklist all "Flexible SSL" sites from my daily browsing.