> "Cloudflare should really message if this is the case when using their gateway. Small UI changes to note this would likely go a long way toward coercing better overall security."
In fact, Nick Sullivan, the Head of Cryptography at Cloudflare, stated a few years ago: "CloudFlare would be very happy to be able to indicate to the user the nature of how data is encrypted beyond the IP you are connecting to. Unfortunately there is no way to do that yet in modern browsers. Soon we will be sending an additional header down to the browser to indicate if a site is using strict SSL, it will be up to the browser to display it." However, as far as I can tell, this has not been implemented.
I've always hoped that Cloudflare would add a HTTP header indicating the backend encryption status. I filed this issue back in 2015: https://github.com/cloudflare/claire/issues/17
In fact, Nick Sullivan, the Head of Cryptography at Cloudflare, stated a few years ago: "CloudFlare would be very happy to be able to indicate to the user the nature of how data is encrypted beyond the IP you are connecting to. Unfortunately there is no way to do that yet in modern browsers. Soon we will be sending an additional header down to the browser to indicate if a site is using strict SSL, it will be up to the browser to display it." However, as far as I can tell, this has not been implemented.
https://blog.cloudflare.com/introducing-strict-ssl-protectin...