It's not a problem if those connections use self-signed certificates, right? If that's the case, then setting up SSL from CloudFlare to your servers should be pretty easy.
It would be free, but not necessarily easy, as it would still entail configuring your web server to use SSL, and that might not even be an option if you're using shared hosting.
(Aside: self signed certs don't protect the connection from active attacks unless CloudFlare pins the cert. I'm mainly concerned with passive eavesdropping though.)
That's what we're going to do: issue certs that our customers can use on their origins, that will be trusted by our network, and that will be pinned to a particular site. That will allow end-to-end cryptographic connections. There are other groups working on making installing and setting up SSL on origin servers easier, that's not something we're likely to tackle, but agree it's important.
Could you elaborate on this. My impression was that connections between data centres (e.g. in the case of using an EC2 instance with Cloudflare) were already very secure and therefore do not require SSL.
Right. If there were a diagram of this architecture, the NSA would scribble "SSL added and removed here" with a smiley face[1]. It's arguably even worse, since the traffic between CloudFlare and the origin server would be traveling in the clear on the public Internet, as opposed to in the clear within Google's private network.
There is also the practical concern for NSA that cloudflare is a well resourced, highly motivated company who has publicly committed to protecting customer data. It would be a lot easier to push around a small company or non profit, especially a company which didn't have the resources or freedom to defend itself. It would certainly be possible to try to get a company like CloudFlare, Twitter, etc to bend to the NSA's will , but they know they are basically guaranteed a fight. Much safer to go to a smaller hosting provider or the end user organization or personnel themselves.
It's reasonable to suppose that the NSA have a whole bunch of private signing keys for a whole bunch of CAs, and will just MITM anyone they please regardless of our puny efforts.
I'm not sure that's a safe assumption and, regardless, an active MITM attack is a much bigger deal than passively collecting traffic as it flows past you in the clear.
Agree with others that it depends on what you are trying to protect against. It's also worth reading through the options that Cloudflare supports for origin server communication:
