> There's just no good reason to proxy HTTPS traffic over HTTP anymore (if there ever was). Enabling it by default is encouraging awful security practices.
I'm a big fan of end-to-end encryption but I think a statement that broad should include a threat model. Not everyone is saving user credentials, credit card numbers, etc. and if you're primarily concerned about someone hijaacking the local network or untargeted national snooping, having HTTPS between the user and CloudFlare is a really big improvement because far more tampering happens at the edge rather than between the datacenter server serving your content and CloudFlare's network.
I do agree that this should be less and less acceptable as so much of the infrastructure has improved but there are still things like personal blogs and other content sites where you mostly don't want things like hostile ISPs injecting ads or malware onto your pages. That might make a good transition for Flexible SSL — start rebadging the UI to increasingly strongly emphasize that it's not suitable for sites with logins, PII, etc.
While I do not disagree with your sentiment, there have been cases of untargeted national snooping/censorship affecting sites with flexible SSL because governments can and often do sit between the local Cloudflare server and the origin.
I've also been hoping that Cloudflare would add a header indicating the backend encryption status, so that we can look at how sites are configured and whether any "important" sites are using flexible SSL:
I'm a big fan of end-to-end encryption but I think a statement that broad should include a threat model. Not everyone is saving user credentials, credit card numbers, etc. and if you're primarily concerned about someone hijaacking the local network or untargeted national snooping, having HTTPS between the user and CloudFlare is a really big improvement because far more tampering happens at the edge rather than between the datacenter server serving your content and CloudFlare's network.
I do agree that this should be less and less acceptable as so much of the infrastructure has improved but there are still things like personal blogs and other content sites where you mostly don't want things like hostile ISPs injecting ads or malware onto your pages. That might make a good transition for Flexible SSL — start rebadging the UI to increasingly strongly emphasize that it's not suitable for sites with logins, PII, etc.