That particular customer had set up their configuration in
such a way that the connection from Cloudflare back to the
customers origin was not passed over an encrypted link.
Is it just me, or this is Google/NSA's "SSL added and removed here! (grinny face)" all over again?
What they describe is simply one of Cloudflare's SSL options, called "Flexible SSL", which is often used because it lets sites offer an HTTPS address without having to purchase a certificate themselves (or even setup a self-signed one): https://www.cloudflare.com/ssl/
http://i.imgur.com/4p9oMTp.jpg