The only potential problem is that Cloudflare doesn't check the validity of the herokuapp.com cert, so in theory someone could MITM the connection. In practice, I'm not sure how you'd even get Cloudflare to connect to the rogue proxy, short of taking control of the DNS of *.herokuapp.com.
That's not true, when you setup crypto in cloudflare you need pick between "Full SSL (Strict)" which requires a valid certificate, and "Full SSL (non-strict)" which allows you to use a self-signed certificate or what not, but there's no reason you should be using that mode if you already have a valid certificate (as is the heroku case).
"Full SSL (Strict)" doesn't work with the certificate provided for free by Heroku:
By default Heroku offers a wildcard SSL certificate which only covers
‘*.herokuapp.com’. This means that ‘Full SSL’ can be utilized as a default,
which does not require that the SAN contains your FQDN. To utilize
Full (Strict) you will need to add your own SSL certificate to your
Heroku app, which can be done by using their ‘SSL Endpoint’ add-on.
As far as I can tell, the cost of the SSL endpoint on Heroku is almost exactly the same as the cost of a separate Elastic Load balancer, which you need to terminate the SSL connection before it reaches your app. So Heroku is really just selling this feature at cost.
I don't remember additional charge for using SSL with ELB (but ELB is extremely dumb so if you want to apply fancy headers and rules, ELB is out of question, either roll out Nginx or HAProxy with ELB governing failover. Direct R53 failover only works with public zone).
It seems like Heroku's business model is to make it easy for startups to build on their platform and then bleed them dry of all their investment money.
I think people are misunderstanding the SSL costs for Cusion.
The SSL certificate expense is listed as $99/year from namecheap, ie. $8.25/month, so there seems no need to get a Symantec one.
However they/it/he are paying Heroku $20/month for handling the SSL traffic, not the certificate itself, which probably includes running a load balancing server in front of their apps that automate the SSL termination across nodes. Which seems like a fair cost to me.
I think the description of this cost is the error which causes the confusion.
Maybe https://liquidsky.singtel-labs.com/ can help you with that transition, especially when/if you need to iterate through your cloud environment repetitively until you get to a comfortable one
Simply not having to think about how to stage, locate and run an app saves a lot of visible and hidden engineering time.
Source: I work for a company which donates engineering time to what is, in some respects, a Heroku competitor (Cloud Foundry).