All this from the company where the default SSL option is "Make the user think they are accessing a secure website, then tunnel that data over the internet entirely unencrypted to the origin server"...
Oh, and we'll call it "Flexible SSL" so it doesn't sound so horrendously insecure...
Yes, by default all websites hosted with cloudflare are completely insecure. Even if both the client connects via https, AND the server supports https, cloudflare uses an unencrypted http connection.
Even the encryption: "full" setting is useless, since it doesn't verify certificates in any way, so an MITM attacker can just sign their own cert in your name.
I suspect CF does this so they can have their "one-click" on boarding for panicking under-attack companies. It really shows that despite all the blog posts about lava lamps and how important security is for them, in the end sales and the shareholder's interest (profit) is king. The very least they should do is have huge warnings about switching to "full (strict)" asap, but really the other two shouldn't be an option at all.
I'm reminded of this whenever I add a new site to CF, since when port 80 is not open, CF just does not work at all, it just shows "backend server down", even when TLS/443 is set up correctly.
And arguing that "it's fine because it protects the connection between the user and the CF server which is the most vulnerable point" is ridiculous. Your nearest CF server is probably in a neighboring city, so the whole path between that city and the other side of the world is readable and modifiable by whoever.
The other way to look at this is at least it gives users SSL where they are most vulnerable, and where they would not have it otherwise, because the service provider is not sophisticated enough to do their own ssl. Perfect is the enemy of good here. Flexible SSL is a terrible name though.
Oh, and we'll call it "Flexible SSL" so it doesn't sound so horrendously insecure...