Regardless of whether or not you provide your own SSL certificates, cloudflare still uses their own between their servers and client browsers. So any SSL encrypted traffic is unencrypted at their end before being re-encrypted with your certificate. How can such an entity be trusted?
I’m either reading this wrong or there’s a disconnect in knowledge. If you have your own SSL cert and do the termination of that on your end, CF cannot do any MITM without an error on the user’s end.
However, if your just setting up an a record or whatever to your server that isn’t doing ssl termination, then yes they are mitm
From my observations, my certificate is used between cloudflare and my server and another cloudflare issued certificate is provided to the client’s web-browser.
In other words, traffic between the browser and CF servers use a CF certificate, then traffic between CF server and my server use my own certificate.
Another way of putting it is that when I host my site directly, the browser reports the certificate as being generated by LetsEncrypt (by me).
However, when I add CF to the equation, the browser shows cloudflare as the certificate creator.
Cloudflares Web Application Firewall or ‘WAF’ is a reverse proxy that sits in front of your server issuing it’s own certs valid for your domain (cloudflare is a CA, and has control over your DNS to get others to issue certs for them). They then provide caching alongside DDOS protection, geoblocking, various customizable firewall settings, as well as just masking your servers ip with their own. This is their primary service aside from just basic DNS/registrar services.