[bubblethink]

This is a more subtle point about how cloudflare's flexible ssl works. The linked post describes a situation where the end user sees the ssl padlock, but the traffic is still getting MITM'ed between cloudflare and origin because it is not over https.

[jgrahamc]

There's no reason to use Flexible SSL. Cloudflare will support any certificate on the origin server (e.g. Let's Encrypt if you don't want to pay someone), or will give you a free "Origin CA" certificate.

[bubblethink]

Yes, that's fine. The problem is offering flexible ssl in the first place. It is not the end user's job to verify if the traffic between cloudflare and origin is encrypted.

[aptwebapps]

"There's no reason to use Flexible SSL."

Then why do you offer it?

[jgrahamc]

Because there are instances where the customer cannot put an SSL certificate on their server. So, I probably should have said "almost no reason".