[nilved]

Speaking strictly, you're right, but when you consider (a) Cloudflare's connection to your server is insecure (b) Cloudflare is listening in on every request (c) Cloudflare blocks VPN and Tor users, it doesn't seem like such an obvious decision. But that's a false dichotomy, since everybody should use HTTPS, nobody should use HTTP, and, most importantly, nobody should be okay with third-parties snooping on your users.

[TheMakeA]

    Cloudflare's connection to your server is insecure

This isn't always the case. The connection can be secure.

[rdl]

Yeah, it can even be cert pinned, which is probably better than a non pinned end to end tls unless your attacker is local to you, due to the wonders of anycast. Also, like Google, we are constantly looking for malicious stuff like this on our IPs.

[ajtaylor]

I had the same initial thought about (a), but the comments mentioned that CloudFlare issues a certificate you can install on your origin servers which will allow secure connections with CloudFlare.

[gcarre]

I'm using a VPN (tunnelbear) and I can access my website that's behind cloudflare