(Their "data centers" are typically a rack or two of equipment that Cloud Flare ships to a real data center, along with installation instructions.) We asked Cloud Flare to confirm that sniffing is possible at these so-called "data centers," but they didn't respond.
By now we're wondering if there's a plaintext Ethernet port at the back of their equipment rack that makes interception easy and convenient.
When they see the padlock on their screen, they feel that everything is safe. It's easy to use for a cybercriminal with numerous domains hidden behind the privacy services of various registrars.
Moreover, the subdomain wildcard option on each domain is handy for obscuring a URL in a phishing email.
If so, it would make no difference whether the origin server has its own certificate.
Cloud Flare may claim that there is no way plaintext can be accessed from their equipment racks, despite the fact that some sort of decrypt and re-encrypt must occur there due to the nature of their role as a CDN.
Local authorities could be sniffing the plaintext available at these data centers, and Cloud Flare wouldn't have a clue.
This is why Cloud Flare will add a plaintext port to their own hardware someday, if they haven't already.
The Cloud Flare certificates below encrypt the traffic only between the browser and Cloud Flare.
Now add Cloud Flare's free fly-by-night "universal" SSL.
When you email Cloud Flare to open your new account, they ask for your domain.