But is it 100% guaranteed that all countries in the world will not try to force their way in to get the info without CloudFlare's permission? I know that CloudFlare will be transparent about it but the possibility that a government agency goes that far (eg China or North Korea, for example) is probably what compu is concerned about. Not that I have anything to hide, personally, although I am not too comfortable about the idea of my Paypal login/password falling into the hands of random strangers since we never know what people might be up to.

Most of the time, you'll survive as long as you don't accept invalid certificates! However, if an agency were to be able to request a falsified certificate, then it's game over... but that applies for every secured website out there.

I quite like cloudflare's policies. They will only release information if required by law, and even then they will only release the limited scope of the information without any of the keys that would make all of it accessible. They will also release transparency reports about requests by government agencies and if possible inform users on what of their information was requested by government agencies.

If you followed the news over the last year, you would know that these policies are worth nothing if the US government can just send them a National Security Letter or force their way in.

So.... I read up a few more things and have a better grasp of the situation now.

Let's start off by stating a few facts:

• Cloudflare is using a MITM (a "trusted" one) to secure websites. That means they do encrypt and decrypt using their certificate, and then send the traffic over to origin server by re-encrypting it with origin server's keys.
• Cloudflare does it interestingly by using one node and signing their own certificates for all domains that use that node. So they sign for cloudflare.com, *.cloudflare.com, and then client domains, like bla1.com, coolwebsite.com, etc.

That said, let's clarify...

They will only release information if required by law, and even then they will only release the limited scope of the information without any of the keys that would make all of it accessible. They will also release transparency reports about requests by government agencies and if possible inform users on what of their information was requested by government agencies.

Yes... if this was a regular warrant search. If this was NSL'd, then this would not be the case.

However - they are being slightly transparent by using something called a warrant canary, in which they discreetly notify everyone that they have been NSL'd by removing a certain phrase. But don't interpret this as something that is 100% transparent - if your node got NSL'd on Cloudflare, they won't (and can't) tell you.

If you followed the news over the last year, you would know that these policies are worth nothing if the US government can just send them a National Security Letter or force their way in.

Yes, but this applies to plenty of things:

• Your web service provider can be NSL'd to monitor traffic;
• Your server hosting provider can be NSL'd to install a backdoor on your server;
• Your SSL provider can be NSL'd to give up your private key;
• An American SSL provider can be NSL'd to forge a certificate for your website, and MITM it.

I should note that while the first three are probably nothing to worry about for those in other countries, the last one is very real, and can have global impact for those trying to visit your website.

That said, should I, a server admin, go crazy over all of this? Nope, and here's why:

• Encryption and protection on a server you don't physically control is not going to help. In fact, virtualized instances are not secure at all. The only secure server is a dedicated hardware node that you physically have in your house. And even that isn't necessarily secure!
• Security many websites at once isn't too bad of an idea. This is really big because if suddenly, if millions of websites start being HTTPS, it's harder for the agencies to determine who's who. (In the past, with fewer SSL sites, it's easier to say, "Oh this guy is using SSL, he must be hiding something".)
• Cost vs. benefit. This is probably the biggest reason. If this service provides more security to those who wish to protect sensitive information (or just prevent easy snooping), AND provides DDoS mitigation, AND provides caching, etc. etc., I think the benefits outweigh the costs. Yes, it's true that some agencies see this as a good chance to hop on in and intercept, but there are plenty of other ways for them to do that, and plenty of other opportunities to secure your data with my own efforts.

Nevertheless, I agree that privacy is a major concern that has been overlooked by lawmakers and the like. "Why don't you want the law enforcement to know about what you are doing?" is a strange question to ask - sure, I don't mind (I'm not doing anything illegal), but you're just asking to get mauled.

"They can do X now, so what?" is a question that many people ask. Then said agencies that "do X" will do even more, like Y and Z, which people will really not like! (What if Z was installing a camera in the bathroom and monitoring your "activities" there? Surely you won't mind then? )

That aside - in terms of overall security, going with Cloudflare still seems like the best choice. My only reason for not setting this up yet is due to compatibility concerns, and that Cloudflare shares the same certificate with other domains, which may or may not become an issue - still researching. Of course, for those who are really concerned, I'd be happy to provide a secret, alternate route to access my server without going through Cloudflare.

tl;dr Cloudflare is not immune to NSLs, but they provide more benefit vs. cost; alt methods are available for securing server; despite all of this your privacy is still something you should value!

Let's just not forget that StartSSL gives out free SSL certs for everyone

Yep, and cheap (US$ 60 for 2 years) Class II ones
(at TI-Planet we've upgraded to that (from the free one) partly because of wildcard domains (set up at registration) - it's quite useful, especially with subdomains.)

Edit : btw, HTTPS Everywhere FTW, and for those who didn't know about it

So does this mean I won't be able to access websites that use the free ssl with my android 2.3 gingerbread phone?

To answer your question:

https://blog.cloudflare.com/universal-ssl-be-just-a-bit-more-patient/#errorsyoumaysee
All browsers will show the error until they finish provisioning SLL certificates. After that only older browsers will show an error, on which you can just tell it to ignore that error forever. Not all browsers let you remember that choice though.