You can setup a Let's Encrypt certificate on your server and use Full SSL (strict). It will also make switching away from Cloudflare in the future easier.
That's right. Cloudflare doesn't try to lock people in with artificial constraints. Use Let's Encrypt for your origin. Very soon we hope to support Let's Encrypt completely for our main certs (once they have wildcard support).
CloudFlare's "Flexible SSL" (https://www.cloudflare.com/ssl/) offers encryption/authentication from CloudFlare's server to the client, but none from the origin server to CloudFlare's. Which means that is a vector by which the content could be sniffed or modified in transit.
It's a "better than nothing" option, as there are a slightly higher number of actively exploited attack vectors that apply to the client to CDN connection than the CDN to origin server, such as "free" wifi that injects ads, malicious ISP DNS, and the like. But it's not actually secure, as the origin server to CDN connection could be tampered with, and just because there are fewer active attacks that would be likely to affect that connection right now, doesn't mean that someone won't come along later and hijack such a connection.
CloudFlare offers other TLS options that do include encryption and authentication between the origin server and CDN, but they do require that you set up a certificate on your server, so if all you're trying to do is enable TLS (and don't care about the CDN), just installing a cert on the origin server and using TLS is probably a simpler option that using CloudFlare.
We encourage users to use Strict mode which requests and validates a certificate from the origin.
It's great that shared web hosting providers and others are starting to make it easy to acquire and install a certificate, but that hasn't always been the case.
EDIT: We also provide an API that will provision a free certificate for your origin: https://blog.cloudflare.com/cloudflare-ca-encryption-origin/. The certificate is optimized for communication with our edge (essentially just as small a chain as possible, as we don't need the intermediate to walk to the root). Either that or use certbot from EFF/Let's Encrypt.
But most people don't want or know how to automate. HTTPS is supposed to be used on very site but not every site is setup by a developer. That's a basic flaw that will make it problematic to have these kinds of HTTPS-only policies.
Not really. You put nginx in front of Varnish and terminate your TLS there. It's not that much more work. Hint: make sure you have an X-Forwarded-For entry in your nginx config. Your root location would look something like:
> Any host that still requires a dedicated IP for https is woefully out of date.
May be true in a perfect world but this is my web host (bluehost):
>> Note: Since SSL Certificates are Domain/IP specific, you must first Purchase a Dedicated IP before purchasing or having an SSL Certificate installed on your account. They will NOT work with a shared IP address.
I'm pretty sure a lot of other hosting services still go that route.
I'm not sure whether they just don't support SNI yet, or whether they are artificially enforcing this restriction so that they don't have to deal with IE6 not working.
It's sadly not just the servers but also the clients... still you're right about that being a really long tail at this point.
Edit:
A quick search seems to indicate that the only typical consumer facing system that doesn't support SNI is IE on Windows XP. It's pretty safe to have a catch-all bucket that informs such users to use a modern, security patches including browser or to upgrade to a different OS.
