CloudFlare’s impact on user privacy is very complicated, and depends a lot on the particular site and threat model. It might well be that some users who understand that HTTPS is important are misled when sites use CloudFlare because of the lack of HTTPS to many origin servers (or because the users didn’t expect to have a CDN have access to the plaintext of their communications). Unfortunately, there are many things about sites’ back-end security that aren’t very evident to their visitors.
I have contacts at CloudFlare and will gladly encourage them to take more steps to encourage users to provide a secure origin connection. But as @mnordhoff says, Let’s Encrypt has never said that reverse proxy CDN services are inherently improper. These services increase users’ security against many threats and I can’t imagine that we would ever say that they’re not welcome to use Let’s Encrypt certificates.
Like both @simbalion and @_az, I’m concerned that we don’t have a stronger incentive for site operators to provide secure origins when they choose to use CDNs. I think it’s clear just from the conversations on this forum that Let’s Encrypt has been helping a huge amount overall in this regard, because we have repeated questions from people who are already using CloudFlare or a similar CDN (and in some cases have been using it for years) and who have never before had a certificate on their origin servers, and who are now trying to get one from Let’s Encrypt because we’ve removed the financial barrier. So I think our net effect on this dynamic has been enormously positive, and I think everyone working on Let’s Encrypt is going to conclude that we won’t stop helping to increase encryption in one place just because we won’t always increase it in another place.
But I would be thrilled to hear more specific recommendations for CDNs or for anyone else in the picture, and, as I said above, I’d be happy to take the issue up with the CDNs. (I don’t think that the CDNs are likely to want to adopt a requirement that they have to use the same protocol schema that was used to contact the origin server, at least unless we can get many more hosting environments to offer HTTPS by default all the time without any user action—which is certainly something that we’re continuing to pursue.)
I agree that it will be sad if the UI changes in browsers about insecure origins, for example, mainly lead people to simply put their HTTP sites behind a CDN in order to make the UI warnings go away faster. Right now, I don’t think we know how frequently something like that happens.