If so, it would make no difference whether the origin server has its own certificate.
Cloud Flare may claim that there is no way plaintext can be accessed from their equipment racks, despite the fact that some sort of decrypt and re-encrypt must occur there due to the nature of their role as a CDN.
This page is an excellent imitation of the Bank of America pages he remembers, and there is also that nice little SSL padlock in the corner of the address bar. Probably, because he doesn't realize that he's at a subdomain of q4and is entering his old and new password into a fake page for the benefit of a phisher.
As if the "standard" certificates aren't enough of a problem, there are also over four million "universal" certificates that present bigger problems.
Moreover, the subdomain wildcard option on each domain is handy for obscuring a URL in a phishing email.
The "ssl2796" in the name is a Cloud Flare tracking ID in the 136,535 root domains we found that use "standard" (not "universal") Cloud Flare certificates.