Because ProtonMail would have been required to give CloudFlare encryption keys that would have 1) allowed CloudFlare to inject JavaScript to steal decryption passwords and keys 2) Allowed CloudFlare to collect
metadata on traffic for individual users
ClouldFlare are a bunch of great guys. And, they wouldn't
do any of that unless they were delivered a National Security Letter forcing them to.
If ProtonMail signed up with CloudFlare, like HushMail did, ProtonMail would have no way to know if these types of code modification attacks or metadata collections were happening.
And, as people saw with Hushmail, since CloudFlare does not do SMTP proxying (filtering/challenging) a DDoS could have still taken down ProtonMail's mail servers offline. While CloudFlare allowed Hushmail to get it's website back online, mail to my Hushmail account is currently delayed by several hours due to DDoS of their mail servers.
Because ProtonMail would have been required to give CloudFlare encryption keys that would have 1) allowed CloudFlare to inject JavaScript to steal decryption passwords and keys 2) Allowed CloudFlare to collect metadata on traffic for individual users
ClouldFlare are a bunch of great guys. And, they wouldn't do any of that unless they were delivered a National Security Letter forcing them to.
If ProtonMail signed up with CloudFlare, like HushMail did, ProtonMail would have no way to know if these types of code modification attacks or metadata collections were happening.
And, as people saw with Hushmail, since CloudFlare does not do SMTP proxying (filtering/challenging) a DDoS could have still taken down ProtonMail's mail servers offline. While CloudFlare allowed Hushmail to get it's website back online, mail to my Hushmail account is currently delayed by several hours due to DDoS of their mail servers.
From https://hushmailstatus.com/ :
"We're investigating reports of incoming and outgoing email delivery delays. We'll update this page as more information becomes available."
Privacy and a s service sitting between user and host doesn't mix well, I'd guess