I am not too familiar with Cloudfare but I would say in my opinion no since the visitor would be connecting to your website via http first (if I understand correctly). Google bot would detect this. This was discussed before here on WebmasterWorld but the whole secure message is more than a little misleading to the average visitor as the website may use secure encryption to communicate with the visitor but may be completely unsecure elsewhere (either communicating with another server, bad code, etc...).

Google bot would detect this.

How?

the visitor would be connecting to your website via http first (if I understand correctly).

It goes the other way around the visitor connects to the Cloudflare proxy server first (https) and then the communication between the proxy and the web-server is http. As far Google and your browser is concerned this is sufficient. The caveat being if ever the proxy gets hacked then communications could be intercepted between the proxy and web-server.

visitor connects to the Cloudflare proxy server first

Okay then Google would not detect it then and you should be fine at least for the secure message showing up.

What NickMNS said. CloudFlare's "Flexible SSL" works just fine, in terms of what Google and browsers see.

I looked at this last year (the free Cloudflare account), and initially thought it might be a good solution. But I ultimately rejected it, mainly because you're depending on two different companies ( your host and Cloudflare), which "doubles" the risk of something eventually going wrong.

I still haven't found any other options I like either, so my sites are still http.

which "doubles" the risk of something eventually going wrong.

What could go wrong. You suddenly will not be https anymore? So to mitigate that risk you are not https at all. Sorry I don't see the logic. Just use Cloudflare until you find a suitable solution.

CloudFlare's "Flexible SSL" makes migrating to HTTPS really, really easy, and it's been reliable since I started using it months ago. I wouldn't use it if I were running a bank or an e-commerce site (since traffic between the origin server and CloudFlare's network isn't encrypted), but for an information site doesn't ask for confidential user data, it's a great solution. It sure beats getting labeled "Not secure" in Web browsers.

I still haven't found any other options I like either, so my sites are still http.

What is preventing you from configuring your site to be HTTPS , directly at your host?

CloudFlare's "Flexible SSL" makes migrating to HTTPS really, really easy, and it's been reliable since I started using it months ago. I wouldn't use it if I were running a bank or an e-commerce site (since traffic between the origin server and CloudFlare's network isn't encrypted), but for an information site doesn't ask for confidential user data, it's a great solution. It sure beats getting labeled "Not secure" in Web browsers.

I know the risk is low, but you are still exposed to hackers being able to inject malicious code into your pages, between your server and Cloudflare.

What could go wrong.

Have you never heard of the "strong" version of Murphy's Law:

"Even if nothing can go wrong, something still will."

It sure beats getting labeled "Not secure" in Web browsers.

I checked the logs and stats for several of my sites a few days ago, and didn't see any noticeable change in the bounce rates and user engagement from past months. Evidently the vast majority of internet users are like me and don't notice the little "Not secure" warning. Also, I design my sites to load almost instantly and immediately grab a visitor's attention.

Evidently the vast majority of internet users are like me and don't notice the little "Not secure" warning.

I don't think this is a problem for a while. But, there is a possibility, that, with the time, web browsers become more "aggressive". And I think that, in a couple of years, web browsers might block the access to non HTTPS site, and request the user an explicit action to access them. Like a warning message, requesting the user to click to confirm he really wants to access the site in spite of "risks".

So I think everybody should switch, and not end to do it in a rush, if it happens. And it still profits from your user to have the connection between your server and their device encrypted. Even if you do not collect information, hackers can be very creative to exploit a non secured connection.

Is there any comment from Google directly on this topic? Seen lots of people recommending using a WAF's HTTPS connection but no confirming word from Google themselves as far as I know which always leaves me suspicious. You know with how Google is obsessed (to good measure) with making the internet safer and all that. Server to website is still vulnerable, minor vulnerability but still.

I've seen legit sites do the Cloudflare/WAF HTTPS method but also plenty of spam sites too. I think using a WAF's HTTPS connection is great for big websites for whom making a move from HTTP to HTTPS would be chaos and too costly. Surely Google will have consider these webmasters too and give the OK to using an HTTPS connection for traffic via a WAF with an HTTP server to website connection. The WAF products I've seen will turn everything to HTTPS including images, script etc on the front end to make sure no mixed content.

What I'd missing is G's confirmation on this. From the look of the replies here it does seem that using a Cloudflare/WAF HTTPS setup for traffic on an HTTP site would work as far as G's OK with a secure connection. Any more opinions?

I don't think this is a problem for a while. But, there is a possibility, that, with the time, web browsers become more "aggressive". And I think that, in a couple of years, web browsers might block the access to non HTTPS site, and request the user an explicit action to access them. Like a warning message, requesting the user to click to confirm he really wants to access the site in spite of "risks".

So I think everybody should switch, and not end to do it in a rush, if it happens. And it still profits from your user to have the connection between your server and their device encrypted. Even if you do not collect information, hackers can be very creative to exploit a non secured connection.

I disagree. For Google to do this they better differentiate between websites then. Commercial bank? Yes. Governmental website on diabetes? Meh. HTTPS websites can still be hacked. Man in the middle attacks are popular with commerce websites. Many informational websites (good ones, not those spammy ones) have their reasons for not moving to HTTPS. One is cost and the other is making a mess about it. Not the whole internet uses Wordpress.

Also a huge 'non secure warning' on a non commercial website would scare people away despite the website may have excellent content. This would affect Google directly with Chrome as ranking excellent non HTTP websites that display a huge warning block would lead to a bad user experience of the search results. What are they going to do then? Just rank spam websites with an HTTPS connection via a free SSL certificate implemented on the fly?

The websites that should be using an HTTPS connection should have been doing so 4-5 years ago. This isn't something new.

I've seen legit sites do the Cloudflare/WAF HTTPS method

When a site uses Cloudflare , it doesn't mean that the connection is not secure between cloudflare's servers and the server(s) hosting the site. So you can't assume that, if a site is having an HTTPS connection through cloudflare, it means the connection between cloudflare and the site is insecure. You can't know that. There are plenty other reasons to use Cloudflare (global distribution, cdn, ddos protection, etc...)

My biggest concern about Cloudflare is more about sharing IP with hundreds, thousands or more other sites. In the past, Google could penalize a site, if it was running on the same IP as other "bad neighbors". It causes issues with Cloudflare, but this was in the past, since Google is taking in consideration the nature of services like Cloudflaire or AWS, but...

HTTPS websites can still be hacked. Man in the middle attacks are popular with commerce websites.

Oh, I didn't know that. Do you have a link to an article explaining it? I'd like to study it. Thank you.

One is cost and the other is making a mess about it. Not the whole internet uses Wordpress.

Even if you are not using Wordpress, it's very easy to switch, and free. If you are not a sys admin , then you are certainly using a plug-and-play host, which will have a button to switch, and if you are sys admin, you know how to configure your web server to use a TLS certificate. (and if you are in the middle, you use an admin GUI, like CPanel, Webmin, etc... and this is also one button to press...)