Maybe you didn’t quite understand me. I meant that the problem with ssl certificates is even more interesting than it seems.
For example, if I register for cloudflare and pay a $10 tariff, my certificate will be visible to everyone as an outsider. And if I pay $200, I can download any certificate, but the private key is still on cloudflare. And I can order private DNS. How carefully you examine the site before visiting it.
Cloudflare is a private company. I know they are offering tons of bells and whistles, and they keep adding to their portfolio on a regular basis. To much to keep up for me anyways.
But the features you seem to be reffering to is their feature to upload your own certs and keys, and the feature for keyless ssl?
I never used these features, but i looked them up for a discussion i had a long time ago, so i'm aware of their technicality's. If i remember correctly (i didn't re-read the whitepaper, this stuff comes from memory) the first feature gives cloudflare all the tools to generate symmetric keys themselves, the other just gives them only the symmetric keys (and you host some kind of service on your host to let them request a new symmetric key).
These service *might* look "better" to the untrained eye, but in fact they are worse: when you use them you're even hiding the fact that cloudflare acts as a MITM (but they still are!!!). When you use these services, your customers will never know cloudflare can (and will!!!) decrypt every package they exchange.
The bottom line is very, very simple and does not differ from which package you buy or which technology they implement: their proxy REQUIRES them to decrypt the traffic between (what the visitor thinks is) the visitor and the webhost.
Why? Well, you know those nice features they offer: DDos protection and their CDN? Both these things are built on the fact that they keep a big cache of DECRYPTED data from YOUR host on their datacenters. When a client requests a page, they HAVE to be able to see what the client requested (so they HAVE to decrypt the request), then they can see if they have the requested data somewhere on their servers (UNENCRYPTED). When they don't have the data in their cache, they WANT the data in their cache, so they request it from the host, DECRYPT it, and PUT it in their cache before (or after) re-encrypting it and sending it to your client.
That's why they're able to offer DDos protection: your data is on so many geo-located servers, and they're so big, an attacker just can't muster up a botnet that's so big he/she can tear down cloudflare. They'r still DDos'ing, cloudflare does not stop them, cloudflare just absorbs the requests... Maybe they block them after a while, IDK, but in the first place they just absorb them due to the fact they have your data anyways, and they have dozens of copy's of your data all around the world, so let a botnet request a couple million of copy's: they don't care.
That's why they can speed up your site: they have copy's of most of your content all over the world on fast servers: a client downloads most of your content directly from cloudflare (and not from you), from a fast server close-by.
And in the end it doesn't matter if you use cloudflare's SSL, you upload your cert+key or you run "keyless ssl" by running a local deamon to generate symmetric keys.... If you use the proxy, they have your data.... Which is bad for a mixer.