If I am not mistaken, CF could also see the private key given to the user when the user is ready to withdraw.
Correct. All the more reason not to use them.
Forum uses cloudflare as well.
That was announced in the topic I quoted theymos from. Allow me to quote some more:
With regret, I am (for now) admitting defeat on the DDoS front, and we will soon be using using Cloudflare to protect against DDoS attacks.
I really don't believe in willingly putting a man-in-the-middle in your HTTPS like this
I especially dislike Cloudflare, which I'm almost certain is basically owned by US intelligence agencies.
The Internet is seriously flawed if everyone needs to huddle behind these huge centralized anti-DDoS companies in order to survive...
The security implications are that Cloudflare can read everything you send to or receive from the server, including your cleartext password and any PMs you send or look at.