Please note that using Cloudflare, even with free SSL, is not an increase to the security and privacy of your users. On the contrary, Cloudflare records information about your users (this cannot be disabled) and, by default, blocks users who attempt to view your site through privacy-enhancing software. I would suggest that people looking to install SSL on their website (this should be everybody) instead get their free SSL certificate from gandi.net or StartSSL, who do not spy on or block your users.
Are there more actual implementation details somewhere? Sounds like selecting the ssl context based on the clients SNI request. This (obviously) would predicate client SNI support, as opposed to anycast IPs or similar.
Does it bother anyone else that when you try to visit the Google post explaining that they are using HTTPs as a ranking signal via https it redirects to http?<p><a href="http://googleonlinesecurity.blogspot.co.uk/2014/08/https-as-ranking-signal_6.html" rel="nofollow">http://googleonlinesecurity.blogspot.co.uk/2014/08/https-as-...</a>
what I just paid 20/month for the SSL....<p>Update: I have another concern I just found out.<p>For example, I do a lot of web scraping through my domain and I see that I was automatically opted in to use <a href="https://www.cloudflare.com/apps/scrapeshield" rel="nofollow">https://www.cloudflare.com/apps/scrapeshield</a>, something that is supposed to block scraping.<p>There's a huge conflict of interest if it turns out that the cloudflare network actively aims to help block scraping.<p>I know you guys said you will be on the neutral side but if the cloudflare is helping Scrapeshield become more intelligent about scraping by monitoring my scraping actions, I really don't know if it's wise to stay with cloudflare, as much as I love it.
I presume that customer private keys need to be stored on Cloudflare servers to implement this. Has that just made Cloudflare servers a legitimate prime NSA target?<p>I.e. all your keys belong to us