If those IPs change, then block Cloud Flare's entire IP space, and continue to monitor the situation.If Cloud Flare's traffic still gets through, you ask the ISP to pull the plug on Cloud Flare's racks.If so, it would make no difference whether the origin server has its own certificate.Cloud Flare may claim that there is no way plaintext can be accessed from their equipment racks, despite the fact that some sort of decrypt and re-encrypt must occur there due to the nature of their role as a CDN.
It's all a marketing effort anyway, whether paid or free.
Suppose that grandpa, age 90, gets an official-looking email that advises him to immediately change his password.
He clicks on the URL in the email and ends up at bankofamerica.q4
This is why Cloud Flare will add a plaintext port to their own hardware someday, if they haven't already.
The Cloud Flare certificates below encrypt the traffic only between the browser and Cloud Flare.on the use of SSL by Cloud Flare and similar services.