All of these "universal" certificates include that magical wildcard subdomain that invites so much mischief.
Some critics are referring to these Cloud Flare certificates as "fraudulent" because the domain ownership validation (a necessary component of the SSL standard) is achieved only from Cloud Flare's initial access to the zone file.
The ISP replies that everything is encrypted, and Cloud Flare traffic cannot be intercepted.
In other words, nothing can be done about the ISIS sites, carders, booters, gamblers, escorts, phishers, malware, and copyright infringers that Cloud Flare protects. It's fairly obvious you ask this ISP to block the Cloud Flare IP addresses used by the offending domains (this is already happening in Russia).
Now add Cloud Flare's free fly-by-night "universal" SSL.
When you email Cloud Flare to open your new account, they ask for your domain.
The same situation exists for anyone who needs a throwaway email address that's nearly impossible to trace.
After all, Cloud Flare has engineers who come up with clever techniques to enhance SSL.