Cloudflare are not a public CA (see bottom), they use public CAs just like the rest of us. I'm sure they have special enterprise arrangements with each of them.
Those public CAs have to verify domain ownership via the methods outlined in the CA/Browser Forum's baseline requirements. None of which Cloudflare would be able to follow (on behalf of these domains in question) if they did not use either of Cloudflare's authoritative nameservers or WAF/CDN.
Now, if Cloudflare were a public CA, they would still have to behave correctly and follow the baseline requirements otherwise they would be distrusted by clients.
Note that Cloudflare have a certificate authority called 'Origin CA' https://blog.cloudflare.com/cloudflare-ca-encryption-origin/, it is not publicly trusted though. It doesn't need to be, it's for website operators to install on their own web server, before it gets fronted by Cloudflare - rather than just running a self-signed cert or serving plaintext.
Cloudflare have only ever been able to do their job (on the reverse proxy CDN/WAF side), by doing full TLS interception. They see the session in plaintext.
The customer grants Cloudflare a TLS certificate for their site either by uploading a cert manually, or letting Cloudflare issue a cert via the ACME protocol. They use that to present the site to the world. Cloudflare connects back to the origin site, and the origin either uses HTTP (bad! but possible), HTTPS with a self signed cert, HTTPS with another publicly trusted cert, or a cert that Cloudflare issues with their own (not publicly trusted) CA called Origin CA.
As the visitor, you there's no big sign saying 'Cloudflare can read this content as well as the origin website'. They're trusted to not be malicious sure, but there's a massive risk with using any sort of service like this that you don't control.
> As the visitor, you there's no big sign saying 'Cloudflare can read this content as well as the origin website'. They're trusted to not be malicious sure, but there's a massive risk with using any sort of service like this that you don't control.
In that case there is no way that company is not hooked into the intelligence services. I am certain they do go through the ceremony of legality for many actions but it is unreasonable to think no intelligence service has attempted to critically penetrate it. Add the mix of ideology du jour of the SV "VC intelligentcia" and software youth brigades.
You are entirely correct to point out that it is our "trust" that is taken for granted. And granted to CloudFlare by SV, YCombinator, and of course HackerNews itself that dumps on any voices raising concerns over these obvious "massive risks" so that the unauthorized delegation of trust is done behind our backs by capital and other interested parties. DDoS prevention is kind of like kiddie porn prevention, a perfect pretext for openning the door to equally serious violations, of our trust and rights.
