Another problem is with CF is when using Tor Browser for going to any website using CF. You’ll have to answer an impossible CAPTCHA to continue…
Cloudflare Flexible SSL really rubs me the wrong way; it basically renders the padlock useless since the data has been on the internet in plaintext.
The next level up from a regular padlock is the EV certificate which is much more expensive than a regular certificate. So unless I pay a lot of money for an EV certificate, my customers typically can’t distinguish my actually-secure site from a competitor’s fake-secure site.
Should Cloudflare be ashamed of themselves for enabling this?
Is there anything a browser could do to indicate the difference, short of graylisting all Cloudflare sites?
Yes, it’s wildly irresponsible of them, and their certificates probably should be graylisted for it. But remember that other sites can make the same mistake. Maybe you connect to a site over HTTPS, but then it sends your data in plaintext over the internet to Redis. All HTTPS can validate is that you’re talking to who you think you’re talking to, it can’t stop them passing on your data to the internet at large.