I believe it is the standard free level, "Universal SSL" cert that Cloudflare will provide sites on free tier, if they opt for proxying through Cloudflare.
Does it matter? I really feel like I am missing some key knowledge about why people care that their credit card number might be stolen—especially when compared to much more immutable private information like your email address, home address, or phone number.
Cardholder agreements for credit cards typically say that you aren’t liable for any fraudulent charges so long as you report them within a couple of billing cycles. I once had my credit card number stolen, called the bank to report it, and they reversed the charge and sent me a new card via FedEx Express. The whole process took less than ten minutes.
What don’t I know? Is it just that when companies emphasise “no credit card information was stolen” in their data breach announcements that this gives a false impression that this data is more important to keep secret, or what?
I think part of it is successful brainwashing from banks to make people believe credit card number theft === identity theft === the individuals responsibility, not the banks.
Otoh, it can be pretty time consuming and annoying to charge back transactions and get a new card. In Switzerland for instance I have to print out a multi page form, fill it in, send it back by physical mail (yup) then my bank follows up after a few weeks a a few more phone calls. And I have to pay a fee to get the card replaced. So yeah the transactions aren’t on me but the hassle and fees are... This was much more straightforward in North America though.
There are a lot of people who don't care at all about their personal info, and the only negative effect of an identity theft is having to call the bank and changing your CC# (my mother for example who has had her ID stolen multiple times because she is careless with her personal info)
Yes, and you also have no guarantee that Cloudflare is sending them back to the origin over a secure connection. 3 of the 4 SSL options they give customers would be considered insecure by browser standards.
But since you are trusting Visa and it is trusting Cloudflare in this arrangement (and it's not very different from if you used a bulk hosted site and technically the bulk host could be eavesdropping) actually only one of those 4 options makes a practical difference.
The case where the backend is plaintext HTTP is different because a third party between Cloudflare and Visa could eavesdrop that silently (split fibre can make this utterly seamless for normal network technology) with no permission from either of them.
But in the other three cases either Visa, or Cloudflare, or both would have to agree to let somebody else snoop, which agreement they could make even if this was on-premises at Visa's own facility. That's not a technical problem, that's Visa betrayed you for whatever reason.
Arguably one of the options that would be "considered insecure by browser standards" is actually safer for Cloudflare sites, because you can't attack it from the Web PKI. Cloudflare Origin CA isolates you from such an attack, bad guys would need to attack Cloudflare to get a valid certificate from them, certificates from another CA would not work if it's locked down to Cloudflare Origin CA.
Does CloudFlare specifically matter? Most services you use are not SSL-terminated on own servers, so most of the time there’s a third party that can theoretically access your data.
