Yeah but someone can still get between cloudflare and github pages since the traffic between the two end points would still be unencrypted and thus open to MITM..
You may well be hosting or linking to builds though, and if someone could replace a popular project's binary builds with one that'll compromise any machine its installed on that's a pretty big deal, especially if some of those machines are production servers.
Actually Cloudflare supports SSL on the backend (as a paid feature) so the only place it could be MITMed is in their network. I'd still like to see it a bit stricter in that I can specify my own self-signed CA that they validate against.
There's nothing "paid" about specifying how we connect to your origin (i.e., with HTTPS or HTTP). This setting is available to all plans, free or otherwise.
During onboarding we attempt to establish a connection to your origin using HTTPS. If successful (i.e., your http daemon is listening on TCP 443, speaks TLS, and presents a certificate), we'll default you to using "Full" mode; if not, "Flexible" mode will be set.
Either way, this setting can be changed at any time: simply log in and click the Crypto app in our top level nav. The setting you are looking for is the first one presented on the screen.
In terms of your second comment, we're planning on rolling out a simple way for you to install a free CloudFare-signed certificate on your origin and use that in Strict mode ("Full" with full chain validation). Don't have a GA date for this yet, but it will be announced on our blog once available to all (still in beta).
