Comment by eridius
8 years ago
My bad. I thought Flexible SSL was the option where you can use any arbitrary self-signed cert. But you're right, Flexible SSL means no encryption at all between the origin server and CloudFlare. I will edit my post accordingly.
What if the origin server forces https on the link between CF and the origin server?
That would be much better. Also Cloudflare gives an option to require HTTPS on this link. What's so sneaky about Cloudflare is they call the insecure option "Flexible SSL" rather than what it is, "Insecure SSL". And a major issue is that the end user has no way of knowing the site's Cloudflare configuration and whether it is secure or not.