Yeah but someone can still get between cloudflare and github pages since the traffic between the two end points would still be unencrypted and thus open to MITM..
You may well be hosting or linking to builds though, and if someone could replace a popular project's binary builds with one that'll compromise any machine its installed on that's a pretty big deal, especially if some of those machines are production servers.
Actually Cloudflare supports SSL on the backend (as a paid feature) so the only place it could be MITMed is in their network. I'd still like to see it a bit stricter in that I can specify my own self-signed CA that they validate against.
There's nothing "paid" about specifying how we connect to your origin (i.e., with HTTPS or HTTP). This setting is available to all plans, free or otherwise.
During onboarding we attempt to establish a connection to your origin using HTTPS. If successful (i.e., your http daemon is listening on TCP 443, speaks TLS, and presents a certificate), we'll default you to using "Full" mode; if not, "Flexible" mode will be set.
Either way, this setting can be changed at any time: simply log in and click the Crypto app in our top level nav. The setting you are looking for is the first one presented on the screen.
In terms of your second comment, we're planning on rolling out a simple way for you to install a free CloudFare-signed certificate on your origin and use that in Strict mode ("Full" with full chain validation). Don't have a GA date for this yet, but it will be announced on our blog once available to all (still in beta).
As some who cares both about accessibility on the web and security, what up-to-date browsers don't support ECDHE and what else would be reasonable to support as well?
probably nothing up-to-date, hence I wrote older :)
Opera 12.xx being one of the older browsers that works 99% of the time, except EVERY SINGLE page with Cloudflare cert
At this point anyone using Opera 12.xx must have pretty low expectations of the web though, right? Even if it is really _only_ CloudFlare, they must be used to seeing that?
so far its only been hobby/torrent/scam sites using free cert, nothing you would hesitate opening in a webproxy.
Ill switch browsers when I can open ~100 tabs without eating 8GB of ram (blink engine), Opera 12.17 does it at <2GB, not to mention being able to configure everything per domain (js,blockers,cookies etc).
That listed was originally created based on minimum requirements for SNI. I've gone through recently and documented where versions need to be adjusted "up" based on requirement for ECDSA support. These changes will be posted as part of some other housekeeping work I have planned for cloudflare.com/ssl.