There is ONLY one reason CF delivers DDOS protection for 'free', which is usually a rather expencive service.
Because being Man in the Middle (their proxy setup) only have value if you spy on everyone. Website visitors password, usernames and any data they recieve and send AND sell this to someone who is willing to pay for this costly endeavor.
So, any website using CF should be labeled as a honeypot in you mind. Often they are not aware of their user betrayal the users are equally unknowing.
