The essense of "MITM" isn't the Middle but the fact that the Man is unauthorized, Eve to Alice and Bob. If Alice and Bob agree to put CloudFlare (oh, look, the C already works!) in between them, there's a Middle but there's no [unauthorized] Man.
SSL's purpose isn't to create some sort of quasi-mythical "direct connection" between Alice and Bob, it's just removing the general Internet as a vector for many attacks. An utterly critical building block of the global Internet, but nothing more; certainly not a magic invocation that casts the spell of Security +1 across the entire communication, neither in fact nor in intent.
It's worth taking a moment to try to explore what the idea of "direct connection" is that you have in your head, in a world where Bob is probably already a program generating HTTP with no human interaction in an arbitrarily-complicated manner, with arbitrarily-complicated combinations of SSL accelerators, WAFs, and whoknows what other network appliances, even before we consider what it means to assemble a page from JS and images from 10 different domains representing other entities, and where Alice is using a browser and arbitrary plugins, each of which she is implicitly trusting, and possibly a proxy. If you examine this closely it becomes surprisingly complicated.
They allow "SSL termination" where traffic to/from Cloudflare's Edge is protected with TLS, as well as full TLS, where you also provide your own certificate and the entire chain is protected.e.
So, you can very easily opt out of the "MITM" if you buy your own certificate. You can use a self-signed one to get a little more safety within Cloudflare's network, or a CA-signed one for a lot more safety.
I think the parent is referring to CloudFlare not requiring SSL between CloudFlare and their customers.
An SSL-terminating load balancer is in plaintext between the LB and your servers, whereas CloudFlare Universal SSL can be plaintext over the internet.
Since the latter still shows users it's a secure connection, it would be reasonable for CF to require HTTPS between themselves and their customers. Last time I asked CF about this, their answer was "yes, but not our problem".
SSL's purpose isn't to create some sort of quasi-mythical "direct connection" between Alice and Bob, it's just removing the general Internet as a vector for many attacks. An utterly critical building block of the global Internet, but nothing more; certainly not a magic invocation that casts the spell of Security +1 across the entire communication, neither in fact nor in intent.
It's worth taking a moment to try to explore what the idea of "direct connection" is that you have in your head, in a world where Bob is probably already a program generating HTTP with no human interaction in an arbitrarily-complicated manner, with arbitrarily-complicated combinations of SSL accelerators, WAFs, and whoknows what other network appliances, even before we consider what it means to assemble a page from JS and images from 10 different domains representing other entities, and where Alice is using a browser and arbitrary plugins, each of which she is implicitly trusting, and possibly a proxy. If you examine this closely it becomes surprisingly complicated.