on the use of SSL by Cloud Flare and similar services.The Cloud Flare certificates we found all had the common name in the same style as the "ssl2796.cloudflare.com" shown in that Netcraft report.
Then they scrape your zone file from whatever dubious nameservers are listed at your dubious registrar.
Without asking, they assign you a dubious "universal" SSL certificate.
When they see the padlock on their screen, they feel that everything is safe. It's easy to use for a cybercriminal with numerous domains hidden behind the privacy services of various registrars.
Moreover, the subdomain wildcard option on each domain is handy for obscuring a URL in a phishing email.
The ISP replies that everything is encrypted, and Cloud Flare traffic cannot be intercepted.
In other words, nothing can be done about the ISIS sites, carders, booters, gamblers, escorts, phishers, malware, and copyright infringers that Cloud Flare protects. It's fairly obvious you ask this ISP to block the Cloud Flare IP addresses used by the offending domains (this is already happening in Russia).
Now add Cloud Flare's free fly-by-night "universal" SSL.
When you email Cloud Flare to open your new account, they ask for your domain.
After all, Cloud Flare has engineers who come up with clever techniques to enhance SSL.